Security headers should have `always` parameter added.

nystudio107 / nginx-craft

An Nginx virtual host configuration for Craft CMS that implements a number of best-practices.

MIT License

310 stars 37 forks source link

Security headers should have `always` parameter added. #23

Closed steverowling closed 4 years ago

steverowling commented 4 years ago

Headers in the security.conf partial should have the always parameter added to ensure that they are added regardless of the response code, see here: https://nginx.org/en/docs/http/ngx_http_headers_module.html

This came up recently on a site that I had penetration tested. I originally had missed off the always parameter and the pen tester reported it as a potential vulnerability as the HSTS headers weren't sent with error responses. Adding the always parameter as shown below resolved the issue.

add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;

khalwat commented 4 years ago

So interestingly...

The always parameter ensures that the header is set for all responses, including internally generated error responses. Older versions of NGINX (prior to version 1.7.5 or NGINX Plus R5) don’t support the always parameter and do not set the header on internally generated error responses.

https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/#Configuring-HSTS-in-NGINX-and-NGINX Plus

But given that 1.7.5 was released in September, 2014, I'll assume it's safe to include

khalwat commented 4 years ago

I was wondering if the other security headers should be always too -- looks so -> https://www.attosol.com/http-security-headers-with-nginx/

khalwat commented 4 years ago

Added in https://github.com/nystudio107/nginx-craft/commit/32595c541cc5fcb7d972fd528fddb2bdc25cc245