Security Hardening - Nginx Response Headers

ByKarthik Kumar D Kon20th Jun 2021, 2022-12-01T08:00:00+05:30
Read
Pause
Resume
Stop
Security Hardening - Nginx Response Headers

Now-a-days, web based attacks are one of the most common types of cybercrime, and in most cases, the attacked protocol is the HTTP, while the component that receives the attacks is the web server. Hardening Nginx HTTP headers becomes necessary for reducing any attacks to the web server.

And how to harden Nginx response HTTP headers? - HTTP headers are pieces of information that can be found when you interact with an HTTP server. These headers are among the most important parts of the HTTP request (made by HTTP clients, such as your web browser) and HTTP responses (made by HTTP servers such as Nginx).

Within these HTTP headers, one can identify how the request was processed by the web server, the type of HTTP status, and other data. There are two kinds of headers: those that are vulnerable, and those that are secure.

HTTP Header Vulnerable vs Secured..?

To note, the less information you expose on the Internet, the less data a penetration tester or real malicious attacker will find.

Let's look at two examples, a vulnerable HTTP header vs a hardened HTTP header.

1. Vulnerable HTTP Header example
$ curl -I http://drupal.localHTTP/1.1 200 OKServer: nginx/1.18.0Content-Type: text/html; charset=UTF-8

You can see a few headers vulnerable like, nginx server version is exposed as 1.18.0.

2. Hardened HTTP header example

Lets see the example of hardened headers below, where the server version is hidden & other headers like content-security-policy, x-frame-options etc are set.

$ curl -I https://www.drupal.orgHTTP/2 200server: nginxcontent-type: text/html; charset=utf-8x-drupal-cache: MISSx-ua-compatible: IE=edgefastly-restarts: 1x-content-type-options: nosniffx-frame-options: SAMEORIGINcontent-security-policy: frame-ancestors 'self'permissions-policy: interest-cohort=()strict-transport-security: max-age=15552000; includeSubDomains; preloadcontent-length: 100930

Tips to Secure & Harden HTTP Response Headers!

1. Hide PHP version

The PHP version can be disabled by altering PHP configuration i.e by modifying the expose_php variable from the php.ini file.

expose_php = Off

2. Hide Nginx server version

The server_tokens variable allows you to hide the nginx version in the response headers.

ServerTokens off

3. Enable Content Security Policy (CSP)

Content Security Policy defines which resources from your websites can be loaded by any remote web browser, including Javascript and CSS files.

Content-Security-Policy: default-src 'self' \*.drupal.local
Content-Security-Policy: script-src 'self' https://www.google-analytics.com

add_header Content-Security-Policy-Report-Only: "default-src 'self'; script-src *.drupal.local";

4. Enable HTTP Strict Transport Security

You can reduce the chances of becoming a victim to a man-in-the-middle attack by enabling HTTP Strict Transport Security.

server {    listen 443 ssl    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;}

5. Enable X-Content-Type-Options

You can ensure the browser will render the data as original, and not as any other by adding the X-Content-Type-Options.

add_header X-Content-Type-Options "nosniff" always;

6. Enable X-Frame-Options

In case, if Iframes are used then clickjacking attacks can be done, with this sensitive data from users can be stolen. So to reduce this risk, have the X-Frame-Options in headers.

add_header X-Frame-Options "SAMEORIGIN" always;

7. Enable Referrer Policy

Referrer Policy allows you to control what information can be included in the Referrer header while navigating from pages on your site. By doing this makes it impossible to track these requests while navigating away from your site.

add_header Referrer-Policy "origin-when-cross-origin" always;

8. Control Resources and Limits

To prevent potential DoS attacks on nginx, you can set buffer size limitations for all clients.

client_body_buffer_size 1kclient_header_buffer_size 1kclient_max_body_size 1klarge_client_header_buffers 2 1k

9. Configure SSL and Cipher Suites

Default configuration of nginx will use insecure old versions of the TLS protocol. This may lead to attacks such as the BEAST attack. So you can configure nginx to have TLSv1.2 or v1.3.

Additionally, you should specify cipher suites to make sure that no vulnerable suites are supported.

ssl_protocols TLSv1.2 TLSv1.3;ssl_prefer_server_ciphers on;

So, by having such response headers configured on the web server, we can make sure the website is not prone to vulnerabilities and be safe from attacks.

1,600OFF
Xtore Beautiful Finish Uniquely Hand Crafted Home Dcor African Tribal Women Art Piece - (Set of 3, Multicolour), Resin

Xtore Beautiful Finish Uniquely Hand Crafted Home Dcor African Tribal Women Art Piece - (Set of 3, Multicolour), Resin

899 2,499
These uniquely hand crafted and painted resin black African tribal lady figure make an excellent compliment to any home/office decor. It makes a great display for culture/tradition appreciation events and a perfect gift for your loved ones. Unique and Rare - Hand Painted and Hand Crafted.
Home & Decor
13,000OFF
OnePlus 108 cm (43 inches) Y Series 4K Ultra HD Smart Android LED TV 43Y1S Pro (Black)

OnePlus 108 cm (43 inches) Y Series 4K Ultra HD Smart Android LED TV 43Y1S Pro (Black)

26,999 39,999
Resolution : 4K Ultra HD (3840x2160) | Refresh Rate : 60 Hertz. Connectivity: 3 HDMI ports to connect set top box, Blu Ray players, gaming console | 2 USB ports to connect hard drives and other USB devices | Dual-band Wi-Fi Sound : 24 Watts Output | Dolby Audio | Dolby Atmos Decoding. Smart TV features: Android TV | OnePlus Connect Ecosystem| Google Assistant | Chromecast, Miracast, DLNA | Auto Low Latency Mode | Supported Apps : Netflix, Youtube, Prime Video, Hotstar, SonyLiv, Hungama, JioCinema, Zee5, Eros Now, Oxygen Play.
Televisions
7,000OFF
OnePlus 80 cm (32 inches) Y Series HD Ready LED Smart Android TV 32Y1 (Black)

OnePlus 80 cm (32 inches) Y Series HD Ready LED Smart Android TV 32Y1 (Black)

12,999 19,999
Resolution: HD Ready (1366x768) | Refresh Rate: 60 hertz. Connectivity: 2 HDMI ports to connect set top box, Blu Ray players, gaming console | 2 USB ports to connect hard drives and other USB devices, Dimensions(TV With Stand) - 71.3cm x 20cm x 46.9cm | VESA Hole Pitch - 20cm x 20cm. Sound : 20 Watts Output | Dolby Audio. Smart TV Features: Android TV 9.0 | OnePlus Connect | Google Assistant | Play Store | Chromecast | Shared Album | Supported Apps : Netflix, YouTube, Prime video | Content Calendar | OxygenPlay. Display : LED Panel | Noise Reduction | Colour Space Mapping |Dynamic Contrast | Anti-Aliasing | DCI-P3 93% colour gamut | Gamma Engine | Design: Bezel-less | Screen/Body Ratio = 91.4%. Warranty Information: 1 year comprehensive warranty and additional 1 year on panel provided by the manufacturer from date of purchase.
Televisions

Related Articles

1,031OFF
eCraftIndia Ganesh Deepak with Bell Brass Wall Hanging (11 cm x 8 cm x 24 cm, Brown)

eCraftIndia Ganesh Deepak with Bell Brass Wall Hanging (11 cm x 8 cm x 24 cm, Brown)

968 1,999
1 Brass Ganeshs wall hanging Deepak with bell and Dancing Ganesha. Don't wash, use dry/wet cotton cloth to remove dirt.
Home & Decor

Recent Articles

Recent Quick Read

Recent Great People

32,991OFF
Hisense 139 cm (55 inches) Tornado 2.0 Series 4K Ultra HD Smart LED Google TV 55A7H (Silver)

Hisense 139 cm (55 inches) Tornado 2.0 Series 4K Ultra HD Smart LED Google TV 55A7H (Silver)

36,999 69,990
Resolution : 4K Ultra HD (3840x2160) | Refresh Rate : 60 Hertz | 178 Degree wide viewing angle. Connectivity: 3 HDMI ports to connect set top box, Blu Ray players, gaming console (HDMI 1 eARC supported) | 2 USB ports to connect hard drives and other USB devices | Dual-band Wi-Fi | Bluetooth 5.1. Sound : 102 Watts Output | JBL 6 Speakers System | Dolby Atmos for remarkable sound quality. Smart TV features: Google TV with Watchlist | Google Play Store | Google Assistant | Chromecast, Miracast, DLNA, Airplay | Auto Low Latency Mode for VRR | Supported Apps : Netflix, Youtube, Prime Video, Hotstar, SonyLiv, Hungama, JioCinema, Zee5, Eros Now. Display :10 bit Panel | Bezel-less Floating Display Design | ALLM | Decoding of Dolby Vision, HDR10, HLG | 1 Billion Colours | MEMC. Warranty Information: 2 Year Comprehensive Warranty on product provided by Hisense from date of purchase.. Installation: For requesting installation/wall mounting/demo of this product once delivered, please directly call Hisense Support for assistance (Please visit Hisense Website for Toll Free Numbers) and provide product's model name and seller's details mentioned on your invoice. The service center will allot you a convenient slot for the service. Easy Returns: This product is eligible for replacement within 10 days of delivery in case of any product defects, damage or features not matching the description.
Televisions
26,991OFF
Hisense 139 cm (55 inches) Bezelless Series 4K Ultra HD Smart LED Google TV 55A6H (Black)

Hisense 139 cm (55 inches) Bezelless Series 4K Ultra HD Smart LED Google TV 55A6H (Black)

32,999 59,990
Resolution : 4K Ultra HD (3840x2160) | Refresh Rate : 60 Hertz | 178 Degree wide viewing angle. Connectivity: 3 HDMI ports to connect set top box, Blu Ray players, gaming console | 2 USB ports to connect hard drives and other USB devices | Dual-band Wi-Fi | Bluetooth 5.1. Sound : 24 Watts Output | Dolby Atmos | Dolby Digital. Smart TV features: Google TV | Watchlist | Google Assistant | Far Field Vioce Control | Chromecast, Miracast, DLNA | Auto Low Latency Mode for VRR | Supported Apps : Netflix, Youtube, Prime Video, Hotstar, SonyLiv, Hungama, JioCinema, Zee5, Eros Now. Display :10 bit Panel | Bezel-less Floating Display Design | ALLM | Decoding of Dolby Vision, HDR10, HLG | 1 Billion Colours | MEMC.
Televisions
350OFF
Amazon Brand - Solimo Slim Stainless Steel Water Bottle, Set of 3, 1 L Each

Amazon Brand - Solimo Slim Stainless Steel Water Bottle, Set of 3, 1 L Each

649 999
Stainless Steel water bottle set for home and office use. Made using high quality stainless steel for added durability and long life. Made from 100% food grade materials to be safe for everyday usage. Features a spill-proof design; has a snug fitting lid for easy usage and prevention of leaks. Ergonomic design for comfortable grip and rust free body. Ideal for storing water, iced tea, juices, shakes and more. Dimensions: L x W x H: 7.3 x 7.3 x 26 cm. Package Contents:- Solimo Stainless Steel Water Bottle Set of 3, Weight: 200 gm each, Colour: Silver, Capacity: 1 litre each.
Kitchen & Dining
1,272OFF
Bajaj Rex 500W Mixer Grinder, Purple

Bajaj Rex 500W Mixer Grinder, Purple

2,278 3,550
Wattage : 500 W, Voltage: 230V~50 Hz: Revolution: 20,000 RPM. Powerful 500W Titan Motor with Radio Knob: Easy selection of Speed. 2-in-1 Blade: The dry grinding jar can be used for dry and chutney grinding both. Product warranty by Bajaj - 2 Years. T&C Applied. Pulse Mode: Used for mixing and grinding without stopping your mixie. Perfect to mince chicken , get bread crumps, small puree and making lump free gravies.
Kitchen Appliances
We Need Your Consent
By clicking “Accept Cookies”, you agree to the storing of cookies on your device to enhance your site navigation experience.
I Accept Cookies