Last active
May 9, 2020 16:11
-
-
Save mohammedvaghjipurwala/010d0134d2f095b0912235d8fb3b3ead to your computer and use it in GitHub Desktop.
Nginx Security Headers
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ############################################################### | |
| # | |
| # Sample Section : Implementation of SSL Certificates | |
| # | |
| ############################################################### | |
| server { | |
| listen 80; | |
| server_name <Domain name or ip>; # add DNS or server public IP | |
| return 301 https://$server_name$request_uri; # redirect to https | |
| } | |
| #server section for HTTPS | |
| server { | |
| listen 443 ssl http2; | |
| server_name <Domain name or ip>; | |
| ssl_certificate <path_to_certificate>/<certificate file>; # E.g /home/test/certificates/test_cert.crt | |
| ssl_certificate_key <path_to_certificate>/<certificate key file>; # E.g /home/test/certificates/test_cert.key | |
| ssl_protocols TLSv1.2; | |
| ssl_prefer_server_ciphers on; | |
| ssl_ciphers HIGH:!aNULL:ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5; | |
| #### add security headers below | |
| include /etc/nginx/Nginx_headers.conf; | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ############################################################ | |
| # Hide nginx version | |
| ############################################################ | |
| server_tokens off; | |
| ############################################################ | |
| # Enable Compression | |
| ############################################################ | |
| gzip on; | |
| gzip_min_length 1000; | |
| gzip_proxied expired no-cache no-store private auth; | |
| gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript; | |
| ############################################################ | |
| # Disable Unsecure SSL Ciphers | |
| ############################################################ | |
| # Use our own DH params | |
| # Command to generate dhparam.pem | |
| # openssl dhparam -out /etc/nginx/certs/dhparam.pem 2048 | |
| ssl_dhparam /app/conf/dhparam.pem; | |
| ############################################################ | |
| # Enable Strict-Transport-Security | |
| # Protects against Clickjacking attacks. | |
| ############################################################ | |
| add_header Strict-Transport-Security "max-age=31536000" always; | |
| ############################################################ | |
| # Enable Optimize session cache | |
| ############################################################ | |
| ssl_session_cache shared:SSL:40m; | |
| ssl_session_timeout 4h; | |
| ############################################################ | |
| # Enable X-Frame-Options | |
| # Protects against Clickjacking attacks. | |
| ############################################################ | |
| add_header X-Frame-Options "SAMEORIGIN"; | |
| ############################################################ | |
| # Enable X-Content-Type-Options | |
| # Protects against MIME-type confusion attack. | |
| ############################################################ | |
| add_header X-Content-Type-Options nosniff; | |
| ############################################################ | |
| # Enable X-XSS-Protection | |
| # Protects against XSS injections. | |
| ############################################################ | |
| add_header X-XSS-Protection "1; mode=block"; | |
| ############################################################ | |
| # Enable X-Permitted-Cross-Domain-Policies | |
| # restrict loading your site’s assets from other domains to | |
| # avoid resource abuse. | |
| ############################################################ | |
| add_header X-Permitted-Cross-Domain-Policies master-only; | |
| ############################################################ | |
| # Enable Content-Security-Policy | |
| # CSP modern XSS directive-based defence, used since 2014. | |
| ############################################################ | |
| add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval';frame-src 'self';object-src 'self';"; | |
| ############################################################ | |
| # Enable Feature-Policy | |
| # allows site owners to enable and disable certain web platform | |
| # features on their own pages and those they embed | |
| ############################################################ | |
| add_header Feature-Policy "geolocation 'self';midi 'none';sync-xhr 'none';microphone 'none';camera 'none';magnetometer 'none';gyroscope 'none';speaker 'none';fullscreen 'self';payment 'none';"; | |
| ############################################################ | |
| # Enable Referrer-Policy | |
| # Prevents from leaking referrer data over insecure connections. | |
| ############################################################ | |
| add_header Referrer-Policy no-referrer; | |
| ############################################################ | |
| # Block SQL injection and all unwanted special Characters | |
| ############################################################ | |
| include /etc/nginx/protect_injection.conf; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| location ~* "(eval\()" { deny all; } | |
| location ~* "(127\.0\.0\.1)" { deny all; } | |
| location ~* "([a-z0-9]{2000})" { deny all; } | |
| location ~* "(javascript\:)(.*)(\;)" { deny all; } | |
| location ~* "(base64_encode)(.*)(\()" { deny all; } | |
| location ~* "(GLOBALS|REQUEST)(=|\[|%)" { deny all; } | |
| location ~* "(<|%3C).*script.*(>|%3)" { deny all; } | |
| location ~ "(\\|\.\.\.|\.\./|~|`|<|>|\|)" { deny all; } | |
| location ~* "(boot\.ini|etc/passwd|self/environ)" { deny all; } | |
| location ~* "(thumbs?(_editor|open)?|tim(thumb)?)\.php" { deny all; } | |
| location ~* "(\'|\")(.*)(drop|insert|md5|select|union)" { deny all; } | |
| location ~* "(https?|ftp|php):/" { deny all; } | |
| location ~* "(=\\\'|=\\%27|/\\\'/?)\." { deny all; } | |
| location ~ "(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")" { deny all; } | |
| location ~ "(~|`|<|>|:|;|%|\\|\s|\{|\}|\[|\]|\||#|\/&)" { deny all; } | |
| location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" { deny all; } | |
| location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" { deny all; } | |
| location ~* "\.(aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" { deny all; } | |
| location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php" { deny all; } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment