Security header in rocket-nginx.ini

SatelliteWP / rocket-nginx

Rocket-Nginx is a Nginx configuration that makes WP-Rocket even faster by serving static pages directly without loading WordPress or PHP.

MIT License

579 stars 129 forks source link

Security header in rocket-nginx.ini #127

Closed cheonmux closed 4 years ago

cheonmux commented 4 years ago

Hi,

I want to put add_header code like below in rocket-nginx.conf.

add_header x-xss-protection "1; mode=block" always; add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff;

I read #89 but i dont understand how do i put code in rocket-nginx.ini before rocket-parser.

I tested to put that codes end of rocket-nginx.ini or put in default.conf directly. but syntax error occur and not working.

Please let me know how do i put

Thank you.

ghost commented 4 years ago

In rocket-nginx.ini, section HTTP(S) headers:

http_header[X-Frame-Options] = "SAMEORIGIN"; http_header[X-Content-Type-Options] = "nosniff"; http_header[X-XSS-Protection] = "1; mode=block"; http_header[Referrer-Policy] = "no-referrer-when-downgrade"; http_header[Expect-CT] = "enforce; max-age=3600";

maximejobin commented 4 years ago

This is the right way for now. I'm working on a new version where you will be able to include another file in your configuration.