Skip to content Skip to sidebar Skip to footer

How to Setting Security Headers Nginx to Make Score From F to A


Many of you may not know how to configure Security Headers, here I will tell you how to do it simply and clearly. here I use nginx, so I will implement it in vhost nginx.

Here I will give an example of my application that has not configured its security headers, and is scanned at "Analyse your HTTP response headers" it gets an F value and of course it's very bad.

Score of my application before
Score of my application before


Login SSH to your Server and then entering to directory where the location of vhost nginx, here im configure my vhost in directory /etc/nginx/site-enables/

# cd /etc/nginx/site-enables/

Edit the vhost, in the vhost configuration I only call the header that I will create with the name kitsake-header.conf in the directory /etc/nginx/conf.d/header/

# vi kitsake.conf
server {
include conf.d/header/header-kitsake.conf;

And now it's time to create a file so that the security header changes its value to be better

# cd /etc/nginx/conf.d/
# mkdir -p header
# cd header/
# vi header-kitsake.conf
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
add_header "Referrer-Policy" "strict-origin";
add_header X-Frame-Options SAMEORIGIN;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
add_header X-Permitted-Cross-Domain-Policies master-only;
add_header Feature-Policy "geolocation none;midi none;notifications none;push none;microphone none;camera none;magnetometer none;gyroscope none;speaker self;vibrate none;fullscreen self;";
add_header Public-Key-Pins 'pin-sha256="your public key existing"; pin-sha256="your public key backup / old"; includeSubdomains; max-age=31536000' always;
add_header Permissions-Policy "geolocation=(self, microphone=()";

make sure your configured is true and not error

# nginx -t
nginx: the configuration file /etc/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/conf/nginx.conf test is successful

And it's time to apply the results of the configuration that was made earlier

# systemctl restart nginx

Scan / Test Application again at Security Header again and see the result

the result of the configuration
the result of the configuration

detail information
detail information

Bangkit Ade Saputra
Bangkit Ade Saputra Hard-working professional with experience and a proven knowledge of operating system, server architecture and system configuration.

Post a Comment for "How to Setting Security Headers Nginx to Make Score From F to A"