The “owasp header project” – a nginx guide to brilliance

The internet requrires more security – no doubt bout that – but what can we (as loyable server administrators do ?)

 

For example – we could have a look at the OWASP HEADER PROJECT  which gives us some good hints on what to do to become more secure.

The OHP introduces several Headers:

• HTTP Strict Transport Security (HSTS)
• Public Key Pinning Extension for HTTP (HPKP)
• X-Frame-Options
• X-XSS-Protection
• X-Content-Type-Options
• Content-Security-Policy
• X-Permitted-Cross-Domain-Policies

If you want to find out what they are doing in particular, i recommend you start reading here.

 

So what are they doing – how to get them working in nginx AND how to main tain them ?

i’ve created my “secure_headers” inc file for nginx , which can be included in your vhost configuration

 

file: /etc/nginx/secure_headers.conf

#include /etc/nginx/secure_headers.conf;

#HTTP Strict Transport Security (HSTS)
#https://scotthelme.co.uk/hardening-your-http-response-headers/#strict-transport-security

add_header Strict-Transport-Security "max-age=63072000; includeSubdomains" always;

#X-Frame-Options
# https://scotthelme.co.uk/hardening-your-http-response-headers/#x-frame-options
# recommendation but not realistic: 
# add_header X-Frame-Options "DENY";
add_header X-Frame-Options "SAMEORIGIN" always;

#X-XSS-Protection3
#https://scotthelme.co.uk/hardening-your-http-response-headers/#x-xss-protection
add_header X-XSS-Protection "1;mode=block" always;

#X-Content-Type-Options
#https://scotthelme.co.uk/hardening-your-http-response-headers/#x-content-type-options
add_header X-Content-Type-Options "nosniff" always;

#Content-Security-Policy
#https://scotthelme.co.uk/hardening-your-http-response-headers/#content-security-policy
#recommendation but not realistic:
#add_header Content-Security-Policy "script-src 'self'";
add_header Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'" always;

#X-Permitted-Cross-Domain-Policies
add_header X-Permitted-Cross-Domain-Policies "none" always;

you can find the file in this github project

 

So you are able to include this file to your vhosts by adding this line to your vhost configuration:

include /etc/nginx/secure_headers.conf;

Verify the settings with the webmaster debug tools in your browser

 

 

You are missing the HPKP header ?

Since you need some extra knowledge to enable HPKP – we will drill this header down in another blog entry dedicated to hpkp.