Nginx security headers

4 min read Updated 1 week ago

Nginx security headers

Ploi Cloud provides an easy way to enhance your application's security by configuring HTTP security headers through Nginx. These headers help protect your applications from common web vulnerabilities and improve overall security posture.

Enabling security headers

To enable security headers for your application:

  1. Navigate to your application in the Ploi Cloud dashboard
  2. Go to the "Security" tab
  3. Toggle "Enable security headers" to the on position
  4. Configure your desired headers or use the default values
  5. Save your settings

When you enable security headers, Ploi Cloud automatically configures Nginx to include these headers in all HTTP responses from your application.

Default security headers

When you enable security headers without specifying custom values, Ploi Cloud automatically applies security headers based on the OWASP Secure Headers Project Configuration Proposal. These defaults provide comprehensive protection against common web vulnerabilities.

Important: These headers are applied globally to all routes of your application. If you need different headers for specific routes, you'll need to handle those within your application code.

  • Cache-Control: no-store, max-age=0 Prevents caching of sensitive data in browsers and proxies.

  • Content-Security-Policy: default-src 'self'; form-action 'self'; base-uri 'self'; object-src 'none'; frame-ancestors 'none'; upgrade-insecure-requests Provides comprehensive protection against XSS attacks by controlling which resources can be loaded.

  • Cross-Origin-Embedder-Policy: require-corp Prevents documents from loading cross-origin resources that don't explicitly grant permission.

  • Cross-Origin-Opener-Policy: same-origin Isolates the browsing context to same-origin documents only.

  • Cross-Origin-Resource-Policy: same-origin Restricts resource sharing to same-origin requests only.

  • Permissions-Policy: (comprehensive list disabling all browser features by default) Disables access to all sensitive browser APIs unless explicitly needed.

  • Referrer-Policy: no-referrer Prevents sending referrer information to enhance privacy.

  • Strict-Transport-Security: max-age=31536000; includeSubDomains Enforces HTTPS for your domain and all subdomains for one year.

  • X-Content-Type-Options: nosniff Prevents browsers from MIME-sniffing content types, forcing them to use the declared Content-Type header.

  • X-Frame-Options: deny Completely prevents your site from being embedded in iframes, providing maximum clickjacking protection.

  • X-Permitted-Cross-Domain-Policies: none Prevents Adobe Flash and PDF documents from loading data from your domain.

Note: The Clear-Site-Data header is not included in the default configuration, even though it's part of the OWASP recommendations. This header clears browsing data (cookies, storage, cache) and would break almost all application functionality if applied to all routes. If you need this header, add it manually only to specific logout or data-clearing endpoints.

Custom security headers

You can customize any of the default headers or add new ones:

  1. After enabling security headers, you'll see input fields for each header
  2. Modify the values of existing headers to match your requirements
  3. Use the "Add Header" button to include additional security headers
  4. Click "Save Security Settings" to apply your changes

SSL configuration

In addition to security headers, you can configure SSL protocols and ciphers. The default configuration follows the Mozilla SSL Configuration Generator recommendations for NGINX with an intermediate compatibility profile.

Default Configuration

  • SSL Protocols: TLSv1.2 TLSv1.3
  • SSL Ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305

When SSL ciphers are configured, the following NGINX directives are set:

  • ssl_ciphers: Sets the enabled ciphers at the server level
  • ssl_prefer_server_ciphers: Automatically set to "true" to prefer server ciphers over client ciphers

Configuration Profiles

You can use the Mozilla SSL Configuration Generator to generate custom configurations based on your compatibility requirements:

Modern Profile (Recommended for new applications):

  • Supports only TLS 1.3
  • Most secure but requires modern clients
  • Visit Mozilla's generator and select "Modern" for the full configuration

Intermediate Profile (Default - Balanced security and compatibility):

  • Supports TLS 1.2 and TLS 1.3
  • Good balance between security and client compatibility
  • This is what Ploi Cloud uses by default

Old Profile (For legacy client support):

  • Supports older TLS versions
  • Use only when absolutely necessary for legacy clients
  • Visit Mozilla's generator and select "Old" for specific configurations

These settings allow you to enforce stronger encryption standards for connections to your application while maintaining compatibility with your client requirements. Always test your configuration with your target clients before deploying to production.

Resetting to defaults

If you've customized your security headers and want to revert to the defaults based on the OWASP Secure Headers Project Configuration Proposal:

  1. Click the "Reset to OWASP defaults" button in the Security Headers Configuration section
  2. The default values will be pre-filled in the input fields
  3. Save your settings to apply the defaults

This is useful if you've made changes that are causing issues or want to start fresh with the OWASP-recommended security configuration.