How to configure Security Headers in Nginx and Apache

Last updated: November 10th 2022

security nginx apache configuration Become an author
Web server header guides

Introduction

HTTP security headers are very important part of website security as it protect you against different types of attacks including, XSS, SQL injection, clickjacking, etc.

When you visit any website from your web browser, your browser requests it from the web server where the web site is hosted on. The web server then responds with HTTP Response Headers. These headers contains meta data, status error codes, cache rules and more. It also tell your browser how to behave when handling your website's content. When you use the web and interacts with websites, your browser stores its information. These headers will help you to outline communication and improve web security. There are six most important security headers that you should be aware of and we recommend implementing if possible.

Be careful, these headers are applying globaly in server if you want to change to specific files please add headers inside a location (nginx) or filesMatch (apache) block. So if you add headers inside any location, files will apply only headers inside location block and global headers will not works for these types of files.

1. HTTP Strict Transport Security (HSTS)

This header instructs a user agent to only use HTTPs connections and it also declared by Strict-Transport-Security. This will prevents web browsers from accessing web servers over non-HTTPS connections. Currently all major web browsers support HTTP strict transport security.

The Strict-Transport-Security header is ignored by the browser when your website is accessed over HTTP. This is because an attacker may intercept HTTP connections and inject the header or remove it.

You can implement HSTS in Apache by adding the following entry in /etc/apache2/sites-enabled/example.conf file:

Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

Save the file then restart the Apache service to apply the changes.

You can also implement HSTS in Nginx by adding the following entry in /etc/nginx/sites-enabled/example.conf file:

add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';

Save the file then restart Nginx to implement the changes.

Note: If you want to apply these headers to specific files, please add the add_header line in location block (Nginx) or Header set line in filesMatch block (Apache).

2. Content Security Policy (CSP)

The Content-Security-Policy header is an improved version of the X-XSS-Protection header and provides an additional layer of security. It is very powerful header aims to prevent XSS and data injection attacks. CSP instruct browser to load allowed content to load on the website. All major browsers currently offer full or partial support for content security policy.

You can implement CSP in Apache by adding the following entry in /etc/apache2/sites-enabled/example.conf file:

Header always set Content-Security-Policy "default-src 'self'; font-src *;img-src * data:; script-src *; style-src *;"

Save the file then restart the Apache service to apply the changes.

You can also implement CSP in Nginx by adding the following entry in /etc/nginx/sites-enabled/example.conf file:

add_header Content-Security-Policy "default-src 'self'; font-src *;img-src * data:; script-src *; style-src *";

Save the file then restart Nginx to implement the changes.

Note: If you want to apply these headers to specific files, please add the add_header line in location block (Nginx) or Header set line in filesMatch block (Apache).

3. X-XSS-Protection

X-XSS also known as Cross Site Scripting header is used to defend against Cross-Site Scripting attacks. XSS Filter is enabled by default in modern web browser such as, Chrome, IE, and Safari. This header stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.

You can implement XSS protection using the three options depending on the specific need.

  1. X-XSS-Protection: 0 : This will disables the filter entirely.
  2. X-XSS-Protection: 1 : This will enables the filter but only sanitizes potentially malicious scripts.
  3. X-XSS-Protection: 1; mode=block : This will enables the filter and completely blocks the page.

To enable the X-XSS-Protection header in Apache, add the following line in your Apache web server default configuration file /etc/apache2/sites-enabled/example.conf:

Header set X-XSS-Protection "1; mode=block"

Next, restart the Apache service to apply the changes.

To enable the X-XSS-Protection header in Nginx, add the following line in your Nginx web server default configuration file /etc/nginx/nginx.conf:

add_header X-XSS-Protection "1; mode=block";

Next, restart the Nginx service to apply the changes.

Note: If you want to apply these headers to specific files, please add the add_header line in location block (Nginx) or Header set line in filesMatch block (Apache).

4. X-Frame-Options

The X-Frame-Options header is used to defend your website from clickjacking attack by disabling iframes on your site. Currently it is supported by all major web browser. With this header, you tell the browser not to embed your web page in frame/iframe.

There are three ways to configure X-Frame-Options:

  1. DENY : This will disables iframe features completely.
  2. SAMEORIGIN : iframe can be used only by someone on the same origin.
  3. ALLOW-FROM : This will allows pages to be put in iframes only from specific URLs.

To enable the X-Frame-Options header in Apache, add the following line in your Apache web server default configuration file /etc/apache2/sites-enabled/example.conf:

Header always set X-Frame-Options "SAMEORIGIN"

Next, restart the Apache service to apply the changes.

To enable the X-Frame-Options header in Nginx, add the following line in your Nginx web server default configuration file /etc/nginx/sites-enabled/example.conf:

add_header X-Frame-Options "SAMEORIGIN";

Next, restart the Nginx service to apply the changes.

Note: If you want to apply these headers to specific files, please add the add_header line in location block(Nginx) or Header set line in filesMatch block(Apache).

5. X-Content-Type-Options

The x-content-type header also called "Browser Sniffing Protection" to tell the browser to follow the MIME types indicated in the header. It is used to prevents web browser such as, Internet Explorer and Google Chrome from sniffing a response away from the declared Content-Type. nosniff header does not protect all sniffing-related vulnerabilities. Also there is no valid value for this header except nosniff.

To add the X-Frame-Options header in Apache, add the following line in your Apache web server default configuration file /etc/apache2/sites-enabled/webdock.conf:

Header always set X-Content-Type-Options "nosniff"

Next, restart the Apache service to apply the changes.

To add the X-Frame-Options header in Nginx, add the following line in your Nginx web server default configuration file /etc/nginx/sites-enabled/webdock

add_header X-Content-Type-Options nosniff;

Next, restart the Nginx service to apply the changes.

Note: If you want to apply these headers to specific files, please add the add_header line in location block (Nginx) or Header set line in filesMatch block (Apache).

6. Referrer-Policy

The Referrer-Policy is a security header field that identifies the address of the webpage that requested the current webpage. By checking the referrer, the new webpage can see where the request originated. The Referrer-Policy can be configured to cause the browser to not inform the destination site any URL information.

To add the Referrer-Policy header in Apache, add the following line in your Apache web server default configuration file /etc/apache2/sites-enabled/webdock.conf:

Header always set Referrer-Policy "strict-origin"

Next, restart the Apache service to apply the changes.

To add the Referrer-Policy header in Nginx, add the following line in your Nginx web server default configuration file /etc/nginx/sites-enabled/example:

add_header Referrer-Policy "strict-origin";

Next, restart the Nginx service to apply the changes.

Note: If you want to apply these headers to specific files, please add the add_header line in location block (Nginx) or Header set line in filesMatch block (Apache).

7. Permissions-Policy

The Permissions-Policy is a new header that allows site to control which APIs or features can be used in the browser.

To add the Permissions-Policy header in Apache, add the following line in your Apache web server default configuration file /etc/apache2/sites-enabled/webdock.conf:

Header always set Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()"

Next, restart the Apache service to apply the changes.

To add the Referrer-Policy header in Nginx, add the following line in your Nginx web server default configuration file /etc/nginx/sites-enabled/example:

add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()";

Next, restart the Nginx service to apply the changes.

Note: Change permissions based on your website needs ,the values shown here are just an example policy with no basis in a real-life use-case. If you want to apply these headers to specific files, please add the add_header line in location block (Nginx) or Header set line in filesMatch block (Apache).

For the full list of current and proposed Permissions-Policy values which can be used in this directive, please click here.

Conclusion

We hope this article has provided some guidelines and helpful tips on setting the most common Security related headers. If you have any questions or comments, let us know in the comment section below!

Related articles