nginx content security policy header

Hello,

In this post I will share how we can protect our site if we use nginx for a web server.

Led by Scott Helme for CSP, I started to test the CSP header of root.bg. I used his securityheaders.com tool and finally achieved the desired result – A + 🙂

nginx content security policy header

 

nginx content security policy header

In the virtual host of our site we add the following lines after location /

add_header Content-Security-Policy "block-all-mixed-content; frame-ancestors 'self' root.bg cdn.root.bg s.root.bg go.root.bg git.root.bg fonts.gstatic.com;"; 
add_header Content-Security-Policy-Report-Only "default-src https: data: 'unsafe-inline' 'unsafe-eval'; report-uri https://rootbg.report-uri.com/r/d/csp/reportOnly";

report-uri.com

I made a report on the site report-uri.com and so I started collecting information from my webserver for XSS attacks, web server configuration errors, monitoring and everything else related to the new web standards.

I personally have a bit of luck with the addition of redundant header, but almost all of them are for protection 🙂

HTTP/2 200 
date: Wed, 17 Oct 2018 07:13:17 GMT
content-type: text/html; charset=UTF-8
vary: Accept-Encoding
set-cookie: PHPSESSID=d2lar8sp9vq24752mip9lu31ls; path=/; secure; HttpOnly
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
x-powered-by: 🐧
link: https://root.bg/wp-json/; rel="https://api.w.org/"
link: https://go.root.bg/21; rel=shortlink
server: rws
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-cache: HIT
x-xss-protection: 1; mode=block; report=https://rootbg.report-uri.com/r/d/xss/enforce
x-frame-options: SAMEORIGIN
x-content-type-options: nosniff
p3p: Can I help you? Contact me via https://root.bg/contacts/, CP=CAO ADMa DEVa IND PHY ONL UNI COM LOC
feature-policy: sync-xhr 'self' https://root.bg
content-security-policy: block-all-mixed-content; frame-ancestors 'self' root.bg cdn.root.bg s.root.bg go.root.bg git.root.bg fonts.gstatic.com;
content-security-policy-report-only: default-src https: data: 'unsafe-inline' 'unsafe-eval'; report-uri https://rootbg.report-uri.com/r/d/csp/reportOnly
referrer-policy: no-referrer-when-downgrade
expect-ct: enforce; max-age=86400; report-uri=https://rootbg.report-uri.com/r/d/ct/enforce
x-app-server: gevi
x-slogan: Respect is earned, not given!

Thats it!