nginx - Security headers within location block?nginx HTTPS serving with same config as HTTPIn Nginx, how can I rewrite all http requests to https while maintaining sub-domain?nginx - selective rewrite within a location blocknginx: Specify custom headers in rewritten location blocksNginx/Apache: set HSTS only if X-Forwarded-Proto is httpsNginx location block ruleInherit proxy_set_header when using it in location blockNGINX redirect HTTPS partially worksNGINX location block matchingConfigure NGINX : How to handle 500 Error on upstream itself, While Nginx handle other 5xx errors

What does i386 mean on macOS Mojave?

Ex-manager wants to stay in touch, I don't want to

Does Lawful Interception of 4G / the proposed 5G provide a back door for hackers as well?

Word for being out at night during curfew

What does a comma mean inside an 'if' statement?

On studying Computer Science vs. Software Engineering to become a proficient coder

Plastic-on-plastic lubricant that wont leave a residue?

Drawing lines to nearest point

How to cope with regret and shame about not fully utilizing opportunities during PhD?

Find the cipher used

List software from restricted, multiverse separately

tikz: not so precise graphic

How to Access data returned from Apex class in JS controller using Lightning web component

51% attack - apparently very easy? refering to CZ's "rollback btc chain" - How to make sure such corruptible scenario can never happen so easily?

Why was castling bad for white in this game, and engine strongly prefered trading queens?

Why do Thanos's punches not kill Captain America or at least cause some mortal injuries?

Can I use my laptop, which says 100-240V, in the USA?

Why was Endgame Thanos so different than Infinity War Thanos?

What's special about a Bunsen burner?

How does noise-cancellation work in Mac laptops?

SSD - Disk is OK, one bad sector

How does Howard Stark know this?

Run script for 10 times until meets the condition, but break the loop if it meets the condition during iteration

How to slow yourself down (for playing nice with others)



nginx - Security headers within location block?


nginx HTTPS serving with same config as HTTPIn Nginx, how can I rewrite all http requests to https while maintaining sub-domain?nginx - selective rewrite within a location blocknginx: Specify custom headers in rewritten location blocksNginx/Apache: set HSTS only if X-Forwarded-Proto is httpsNginx location block ruleInherit proxy_set_header when using it in location blockNGINX redirect HTTPS partially worksNGINX location block matchingConfigure NGINX : How to handle 500 Error on upstream itself, While Nginx handle other 5xx errors






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;








1















I have been testing the security headers (https://securityheaders.com) of my nginx setup and wanted to check peoples opinion with nginx suffix location blocks.



Currently, I get 'A+' for http(s)://my.site however, 'B' when testing a suffix location ie https://my.site/location1



The warnings are for missing:-



  • Content-Security-Policy

  • Referrer-Policy

  • Feature-Policy

My server block which receives 'A+' consists of:-



 add_header 'Referrer-Policy' 'no-referrer';
add_header Strict-Transport-Security "max-age=15552000; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Feature-Policy "geolocation none;midi none;notifications none;push none;sync-xhr none;microphone none;camera none;magnetometer none;gyroscope none;;speaker self;vibrate none;fullscreen self;payment none;";
add_header Content-Security-Policy "frame-ancestors my.site;";


an example location block that receives 'B' consists of:-



location /location1 improve this question






















  • Is that the entire location block?

    – womble
    May 2 at 7:31











  • Hi womble, yes it is. Just left out the final

    – jonny21
    May 2 at 9:19

















1















I have been testing the security headers (https://securityheaders.com) of my nginx setup and wanted to check peoples opinion with nginx suffix location blocks.



Currently, I get 'A+' for http(s)://my.site however, 'B' when testing a suffix location ie https://my.site/location1



The warnings are for missing:-



  • Content-Security-Policy

  • Referrer-Policy

  • Feature-Policy

My server block which receives 'A+' consists of:-



 add_header 'Referrer-Policy' 'no-referrer';
add_header Strict-Transport-Security "max-age=15552000; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Feature-Policy "geolocation none;midi none;notifications none;push none;sync-xhr none;microphone none;camera none;magnetometer none;gyroscope none;;speaker self;vibrate none;fullscreen self;payment none;";
add_header Content-Security-Policy "frame-ancestors my.site;";


an example location block that receives 'B' consists of:-



location /location1 improve this question






















  • Is that the entire location block?

    – womble
    May 2 at 7:31











  • Hi womble, yes it is. Just left out the final

    – jonny21
    May 2 at 9:19













1












1








1








I have been testing the security headers (https://securityheaders.com) of my nginx setup and wanted to check peoples opinion with nginx suffix location blocks.



Currently, I get 'A+' for http(s)://my.site however, 'B' when testing a suffix location ie https://my.site/location1



The warnings are for missing:-



  • Content-Security-Policy

  • Referrer-Policy

  • Feature-Policy

My server block which receives 'A+' consists of:-



 add_header 'Referrer-Policy' 'no-referrer';
add_header Strict-Transport-Security "max-age=15552000; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Feature-Policy "geolocation none;midi none;notifications none;push none;sync-xhr none;microphone none;camera none;magnetometer none;gyroscope none;;speaker self;vibrate none;fullscreen self;payment none;";
add_header Content-Security-Policy "frame-ancestors my.site;";


an example location block that receives 'B' consists of:-



location /location1  













  • Is that the entire location block?

    – womble
    May 2 at 7:31











  • Hi womble, yes it is. Just left out the final

    – jonny21
    May 2 at 9:19
















Is that the entire location block?

– womble
May 2 at 7:31





Is that the entire location block?

– womble
May 2 at 7:31













Hi womble, yes it is. Just left out the final }

– jonny21
May 2 at 9:19





Hi womble, yes it is. Just left out the final }

– jonny21
May 2 at 9:19










1 Answer
1






active

oldest

votes


















1














The headers that are reported as being missing are lacking an always directive. I'm guessing that whatever is being tested against isn't returning one of the response codes that add_header wants in order to return the other headers.






share|improve this answer























  • This was it mate, legend. I added always; to each of those complaining headers. Thanks again, Jonny

    – jonny21
    May 2 at 22:36












Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f965513%2fnginx-security-headers-within-location-block%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









1














The headers that are reported as being missing are lacking an always directive. I'm guessing that whatever is being tested against isn't returning one of the response codes that add_header wants in order to return the other headers.






share|improve this answer























  • This was it mate, legend. I added always; to each of those complaining headers. Thanks again, Jonny

    – jonny21
    May 2 at 22:36
















1














The headers that are reported as being missing are lacking an always directive. I'm guessing that whatever is being tested against isn't returning one of the response codes that add_header wants in order to return the other headers.






share|improve this answer























  • This was it mate, legend. I added always; to each of those complaining headers. Thanks again, Jonny

    – jonny21
    May 2 at 22:36














1












1








1







The headers that are reported as being missing are lacking an always directive. I'm guessing that whatever is being tested against isn't returning one of the response codes that add_header wants in order to return the other headers.






share|improve this answer













The headers that are reported as being missing are lacking an always directive. I'm guessing that whatever is being tested against isn't returning one of the response codes that add_header wants in order to return the other headers.







share|improve this answer












share|improve this answer



share|improve this answer










answered May 2 at 10:31









womblewomble

86.2k18147205




86.2k18147205












  • This was it mate, legend. I added always; to each of those complaining headers. Thanks again, Jonny

    – jonny21
    May 2 at 22:36


















  • This was it mate, legend. I added always; to each of those complaining headers. Thanks again, Jonny

    – jonny21
    May 2 at 22:36

















This was it mate, legend. I added always; to each of those complaining headers. Thanks again, Jonny

– jonny21
May 2 at 22:36






This was it mate, legend. I added always; to each of those complaining headers. Thanks again, Jonny

– jonny21
May 2 at 22:36


















draft saved

draft discarded
















































Thanks for contributing an answer to Server Fault!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f965513%2fnginx-security-headers-within-location-block%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

RemoteApp sporadic failureWindows 2008 RemoteAPP client disconnects within a matter of minutesWhat is the minimum version of RDP supported by Server 2012 RDS?How to configure a Remoteapp server to increase stabilityMicrosoft RemoteApp Active SessionRDWeb TS connection broken for some users post RemoteApp certificate changeRemote Desktop Licensing, RemoteAPPRDS 2012 R2 some users are not able to logon after changed date and time on Connection BrokersWhat happens during Remote Desktop logon, and is there any logging?After installing RDS on WinServer 2016 I still can only connect with two users?RD Connection via RDGW to Session host is not connecting

Cegueira Índice Epidemioloxía | Deficiencia visual | Tipos de cegueira | Principais causas de cegueira | Tratamento | Técnicas de adaptación e axudas | Vida dos cegos | Primeiros auxilios | Crenzas respecto das persoas cegas | Crenzas das persoas cegas | O neno deficiente visual | Aspectos psicolóxicos da cegueira | Notas | Véxase tamén | Menú de navegación54.054.154.436928256blindnessDicionario da Real Academia GalegaPortal das Palabras"International Standards: Visual Standards — Aspects and Ranges of Vision Loss with Emphasis on Population Surveys.""Visual impairment and blindness""Presentan un plan para previr a cegueira"o orixinalACCDV Associació Catalana de Cecs i Disminuïts Visuals - PMFTrachoma"Effect of gene therapy on visual function in Leber's congenital amaurosis"1844137110.1056/NEJMoa0802268Cans guía - os mellores amigos dos cegosArquivadoEscola de cans guía para cegos en Mortágua, PortugalArquivado"Tecnología para ciegos y deficientes visuales. Recopilación de recursos gratuitos en la Red""Colorino""‘COL.diesis’, escuchar los sonidos del color""COL.diesis: Transforming Colour into Melody and Implementing the Result in a Colour Sensor Device"o orixinal"Sistema de desarrollo de sinestesia color-sonido para invidentes utilizando un protocolo de audio""Enseñanza táctil - geometría y color. Juegos didácticos para niños ciegos y videntes""Sistema Constanz"L'ocupació laboral dels cecs a l'Estat espanyol està pràcticament equiparada a la de les persones amb visió, entrevista amb Pedro ZuritaONCE (Organización Nacional de Cegos de España)Prevención da cegueiraDescrición de deficiencias visuais (Disc@pnet)Braillín, un boneco atractivo para calquera neno, con ou sen discapacidade, que permite familiarizarse co sistema de escritura e lectura brailleAxudas Técnicas36838ID00897494007150-90057129528256DOID:1432HP:0000618D001766C10.597.751.941.162C97109C0155020

Club Baloncesto Breogán Índice Historia | Pavillón | Nome | O Breogán na cultura popular | Xogadores | Adestradores | Presidentes | Palmarés | Historial | Líderes | Notas | Véxase tamén | Menú de navegacióncbbreogan.galCadroGuía oficial da ACB 2009-10, páxina 201Guía oficial ACB 1992, páxina 183. Editorial DB.É de 6.500 espectadores sentados axeitándose á última normativa"Estudiantes Junior, entre as mellores canteiras"o orixinalHemeroteca El Mundo Deportivo, 16 setembro de 1970, páxina 12Historia do BreogánAlfredo Pérez, o último canoneiroHistoria C.B. BreogánHemeroteca de El Mundo DeportivoJimmy Wright, norteamericano do Breogán deixará Lugo por ameazas de morteResultados de Breogán en 1986-87Resultados de Breogán en 1990-91Ficha de Velimir Perasović en acb.comResultados de Breogán en 1994-95Breogán arrasa al Barça. "El Mundo Deportivo", 27 de setembro de 1999, páxina 58CB Breogán - FC BarcelonaA FEB invita a participar nunha nova Liga EuropeaCharlie Bell na prensa estatalMáximos anotadores 2005Tempada 2005-06 : Tódolos Xogadores da Xornada""Non quero pensar nunha man negra, mais pregúntome que está a pasar""o orixinalRaúl López, orgulloso dos xogadores, presume da boa saúde económica do BreogánJulio González confirma que cesa como presidente del BreogánHomenaxe a Lisardo GómezA tempada do rexurdimento celesteEntrevista a Lisardo GómezEl COB dinamita el Pazo para forzar el quinto (69-73)Cafés Candelas, patrocinador del CB Breogán"Suso Lázare, novo presidente do Breogán"o orixinalCafés Candelas Breogán firma el mayor triunfo de la historiaEl Breogán realizará 17 homenajes por su cincuenta aniversario"O Breogán honra ao seu fundador e primeiro presidente"o orixinalMiguel Giao recibiu a homenaxe do PazoHomenaxe aos primeiros gladiadores celestesO home que nos amosa como ver o Breo co corazónTita Franco será homenaxeada polos #50anosdeBreoJulio Vila recibirá unha homenaxe in memoriam polos #50anosdeBreo"O Breogán homenaxeará aos seus aboados máis veteráns"Pechada ovación a «Capi» Sanmartín e Ricardo «Corazón de González»Homenaxe por décadas de informaciónPaco García volve ao Pazo con motivo do 50 aniversario"Resultados y clasificaciones""O Cafés Candelas Breogán, campión da Copa Princesa""O Cafés Candelas Breogán, equipo ACB"C.B. Breogán"Proxecto social"o orixinal"Centros asociados"o orixinalFicha en imdb.comMario Camus trata la recuperación del amor en 'La vieja música', su última película"Páxina web oficial""Club Baloncesto Breogán""C. B. Breogán S.A.D."eehttp://www.fegaba.com