FR: Some extra headers - Githubissues

nystudio107 / nginx-craft

An Nginx virtual host configuration for Craft CMS that implements a number of best-practices.

MIT License

310 stars 37 forks source link

FR: Some extra headers #1

Closed johanneslamers closed 7 years ago

johanneslamers commented 7 years ago

don't send the nginx version number in error pages and Server header

server_tokens off;

Add Content-Security-Policy HTTP response header. Helps reduce XSS risks on modern browsers by declaring what dynamic resources are allowed to load via a HTTP Header Need some tweaking, but something like this:

add_header Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'" always;

khalwat commented 7 years ago

Yeah so I actually left both of these out on purpose. Not sending the version number just seems "security through obscurity" to me.

The CSP is useful, but can be tricky to get right, and I didn't want to deal with the support :)

johanneslamers commented 7 years ago

haha fair enough. Maybe some commented out examples?

angrybrad commented 7 years ago

@khalwat Don't blame you... CSP is a PITA.

khalwat commented 7 years ago

Yeah I can toss them in and leave them commented out I guess. But I'm sending any support issues to @takobell

khalwat commented 7 years ago

Alright, done:

1.0.1 -- 2016.11.09

[Added] Added server_tokens off to disable sending the Nginx version number
[Added] Added a commented out Content-Security-Policy header in security.conf
[Improved] Updated README.md

https://github.com/nystudio107/nginx-craft