shaunwarman
commented
8 years ago Hey @titoesteves!
TLDR; I would take advantage of lusca within your app directly for the security policies you mentioned and use nginx above that for SSL, filter, forwarding, etc purposes.
It is really common to to setup these security policies in lusca middleware via your app explicitly. And with the use of meddleware (middleware via .json configuration) in kraken you can have something to setup your app config and middleware that looks like:
{
...
"middleware": {
...
"appsec": {
"enabled": true,
"priority": <some priority>,
"module": {
"name": "lusca",
"arguments": [
{
"csp": {
"policy": {
"default-src": "...",
"script-src": "...",
"img-src": "...",
"object-src": "...",
"font-src": "..."
}
},
"csrf": true,
"hsts": {
"maxAge": 31536000,
"includeSubDomains": true,
"preload": true
},
"xframe": "SAMEORIGIN",
"xssProtection": true
}
]
}
}
...
}And then you may see some configuration in nginx to forward the necessary information from the host like:
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;Of course this just pertains to some of the security policies you mentioned and that lusca can handle. I would go with using lusca in the app for what it provides and then using nginx to filter routes or deal with SSL at that level.
titoesteves
I currently have an node express app behind an nginx load balancer.
I am curious to know what is the best practice when it comes to setting security policies such as CSP and http security headers such as HSTS? Should they be configured within my express.js application with lusca? Or is it best practice to configure them in nginx?
Does the lusca team recommend setting security in nginx or express application?