How to Setting Security Headers Nginx to Make Score to A

How to Setting Security Headers Nginx to Make Score to A
How to Setting Security Headers Nginx to Make Score to A

How to Setting Security Headers Nginx to Make Score to A - Setting up security headers in Nginx to achieve an A score is crucial for ensuring robust protection against various web vulnerabilities. Many users might find configuring these headers daunting, but here, we'll provide a straightforward guide.

In this tutorial, we'll focus on Nginx, implementing the changes within the Nginx virtual host (vhost) configuration. To illustrate the importance of this setup, let's consider an example where an application lacks proper security header configurations, resulting in a dismal F score when analyzed using tools like "Analyse your HTTP response headers."


Many of you may not know how to configure Security Headers, here I will tell you how to do it simply and clearly. here I use nginx, so I will implement it in vhost nginx.

Here I will give an example of my application that has not configured its security headers and is scanned at "Analyse your HTTP response headers" It gets an F value and of course, it's very bad.

Score of my application before
Score of my application before


Login SSH to your Server and then enter to directory where the location of host nginx, I'm configure my vhost in the directory /etc/nginx/site-enables/

# cd /etc/nginx/site-enables/

Edit the host, in the vhost configuration I only call the header that I will create with the name kitsake-header.conf in the directory /etc/nginx/conf.d/header/

# vi kitsake.conf
server {
include conf.d/header/header-kitsake.conf;

And now it's time to create a file so that the security header changes its value to be better

# cd /etc/nginx/conf.d/
# mkdir -p header
# cd header/
# vi header-kitsake.conf
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
add_header "Referrer-Policy" "strict-origin";
add_header X-Frame-Options SAMEORIGIN;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
add_header X-Permitted-Cross-Domain-Policies master-only;
add_header Feature-Policy "geolocation none;midi none;notifications none;push none;microphone none;camera none;magnetometer none;gyroscope none;speaker self;vibrate none;fullscreen self;";
add_header Public-Key-Pins 'pin-sha256="your public key existing"; pin-sha256="your public key backup / old"; includeSubdomains; max-age=31536000' always;
add_header Permissions-Policy "geolocation=(self, microphone=()";

make sure your configuration is true and not an error

# nginx -t
nginx: the configuration file /etc/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/conf/nginx.conf test is successful

And it's time to apply the results of the configuration that was made earlier

# systemctl restart nginx

Scan / Test the Application again at the Security Header again and see the result

the result of the configuration
the result of the configuration

detail information
detail information
Bangkit Ade Saputra
Bangkit Ade Saputra At the end of the day, my job involves people. we're complicated, we're always changing, we have millions of things going on in our lives, and changing jobs is always a big decision.

Post a Comment for "How to Setting Security Headers Nginx to Make Score to A"