nginx - improve security one step at a time...

by Malav Dhalgara

I have been toying around with nginx for some time now and I have to say I enjoy the fact that it feels like a flyweight while working with it.

I consider Security an integral part of any application so I want to share couple of tips with you on how to go about securing a default nginx installation. Also, I'd encourage you to spend some time to review OWASP's best practices and standards along with their secure headers project.

You can find a default nginx.conf file at /etc/nginx/nginx.conf.
Now, let's go through some of these tips below:

  1. Enforcing TLS v1.2

  1. Turn off response header from displaying the version of nginx server along with the Operating System. You can do this by uncommenting the "server tokens off" line that already exist in the nginx.conf file.

    Here's a screenshot of the response I captured in Fiddler before and after the change:

    Before:

    After:

  2. Enable HSTS (HTTP Strict Transport Security)+:

  1. Avoid Clickjacking by adding X-Frame-Options header+:

  1. Enable XSS filter+:

  1. Disable Content-Type Sniffing+:

+configured in sites-enabled folder