nginx - Security headers within location block?nginx HTTPS serving with same config as HTTPIn Nginx, how can I rewrite all http requests to https while maintaining sub-domain?nginx - selective rewrite within a location blocknginx: Specify custom headers in rewritten location blocksNginx/Apache: set HSTS only if X-Forwarded-Proto is httpsNginx location block ruleInherit proxy_set_header when using it in location blockNGINX redirect HTTPS partially worksNGINX location block matchingConfigure NGINX : How to handle 500 Error on upstream itself, While Nginx handle other 5xx errors
What does i386 mean on macOS Mojave?
Ex-manager wants to stay in touch, I don't want to
Does Lawful Interception of 4G / the proposed 5G provide a back door for hackers as well?
Word for being out at night during curfew
What does a comma mean inside an 'if' statement?
On studying Computer Science vs. Software Engineering to become a proficient coder
Plastic-on-plastic lubricant that wont leave a residue?
Drawing lines to nearest point
How to cope with regret and shame about not fully utilizing opportunities during PhD?
Find the cipher used
List software from restricted, multiverse separately
tikz: not so precise graphic
How to Access data returned from Apex class in JS controller using Lightning web component
51% attack - apparently very easy? refering to CZ's "rollback btc chain" - How to make sure such corruptible scenario can never happen so easily?
Why was castling bad for white in this game, and engine strongly prefered trading queens?
Why do Thanos's punches not kill Captain America or at least cause some mortal injuries?
Can I use my laptop, which says 100-240V, in the USA?
Why was Endgame Thanos so different than Infinity War Thanos?
What's special about a Bunsen burner?
How does noise-cancellation work in Mac laptops?
SSD - Disk is OK, one bad sector
How does Howard Stark know this?
Run script for 10 times until meets the condition, but break the loop if it meets the condition during iteration
How to slow yourself down (for playing nice with others)
nginx - Security headers within location block?
nginx HTTPS serving with same config as HTTPIn Nginx, how can I rewrite all http requests to https while maintaining sub-domain?nginx - selective rewrite within a location blocknginx: Specify custom headers in rewritten location blocksNginx/Apache: set HSTS only if X-Forwarded-Proto is httpsNginx location block ruleInherit proxy_set_header when using it in location blockNGINX redirect HTTPS partially worksNGINX location block matchingConfigure NGINX : How to handle 500 Error on upstream itself, While Nginx handle other 5xx errors
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
I have been testing the security headers (https://securityheaders.com) of my nginx setup and wanted to check peoples opinion with nginx suffix location blocks.
Currently, I get 'A+' for http(s)://my.site however, 'B' when testing a suffix location ie https://my.site/location1
The warnings are for missing:-
- Content-Security-Policy
- Referrer-Policy
- Feature-Policy
My server block which receives 'A+' consists of:-
add_header 'Referrer-Policy' 'no-referrer';
add_header Strict-Transport-Security "max-age=15552000; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Feature-Policy "geolocation none;midi none;notifications none;push none;sync-xhr none;microphone none;camera none;magnetometer none;gyroscope none;;speaker self;vibrate none;fullscreen self;payment none;";
add_header Content-Security-Policy "frame-ancestors my.site;";
an example location block that receives 'B' consists of:-
location /location1 improve this question
add a comment |
I have been testing the security headers (https://securityheaders.com) of my nginx setup and wanted to check peoples opinion with nginx suffix location blocks.
Currently, I get 'A+' for http(s)://my.site however, 'B' when testing a suffix location ie https://my.site/location1
The warnings are for missing:-
- Content-Security-Policy
- Referrer-Policy
- Feature-Policy
My server block which receives 'A+' consists of:-
add_header 'Referrer-Policy' 'no-referrer';
add_header Strict-Transport-Security "max-age=15552000; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Feature-Policy "geolocation none;midi none;notifications none;push none;sync-xhr none;microphone none;camera none;magnetometer none;gyroscope none;;speaker self;vibrate none;fullscreen self;payment none;";
add_header Content-Security-Policy "frame-ancestors my.site;";
an example location block that receives 'B' consists of:-
location /location1 improve this question
Is that the entire location block?
– womble♦
May 2 at 7:31
Hi womble, yes it is. Just left out the final
– jonny21
May 2 at 9:19
add a comment |
I have been testing the security headers (https://securityheaders.com) of my nginx setup and wanted to check peoples opinion with nginx suffix location blocks.
Currently, I get 'A+' for http(s)://my.site however, 'B' when testing a suffix location ie https://my.site/location1
The warnings are for missing:-
- Content-Security-Policy
- Referrer-Policy
- Feature-Policy
My server block which receives 'A+' consists of:-
add_header 'Referrer-Policy' 'no-referrer';
add_header Strict-Transport-Security "max-age=15552000; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Feature-Policy "geolocation none;midi none;notifications none;push none;sync-xhr none;microphone none;camera none;magnetometer none;gyroscope none;;speaker self;vibrate none;fullscreen self;payment none;";
add_header Content-Security-Policy "frame-ancestors my.site;";
an example location block that receives 'B' consists of:-
location /location1
Is that the entire location block?
– womble♦
May 2 at 7:31
Hi womble, yes it is. Just left out the final
– jonny21
May 2 at 9:19
Is that the entire location block?
– womble♦
May 2 at 7:31
Is that the entire location block?
– womble♦
May 2 at 7:31
Hi womble, yes it is. Just left out the final }
– jonny21
May 2 at 9:19
Hi womble, yes it is. Just left out the final }
– jonny21
May 2 at 9:19
add a comment |
1 Answer
1
active
oldest
votes
The headers that are reported as being missing are lacking an always
directive. I'm guessing that whatever is being tested against isn't returning one of the response codes that add_header
wants in order to return the other headers.
This was it mate, legend. I addedalways;
to each of those complaining headers. Thanks again, Jonny
– jonny21
May 2 at 22:36
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f965513%2fnginx-security-headers-within-location-block%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
The headers that are reported as being missing are lacking an always
directive. I'm guessing that whatever is being tested against isn't returning one of the response codes that add_header
wants in order to return the other headers.
This was it mate, legend. I addedalways;
to each of those complaining headers. Thanks again, Jonny
– jonny21
May 2 at 22:36
add a comment |
The headers that are reported as being missing are lacking an always
directive. I'm guessing that whatever is being tested against isn't returning one of the response codes that add_header
wants in order to return the other headers.
This was it mate, legend. I addedalways;
to each of those complaining headers. Thanks again, Jonny
– jonny21
May 2 at 22:36
add a comment |
The headers that are reported as being missing are lacking an always
directive. I'm guessing that whatever is being tested against isn't returning one of the response codes that add_header
wants in order to return the other headers.
The headers that are reported as being missing are lacking an always
directive. I'm guessing that whatever is being tested against isn't returning one of the response codes that add_header
wants in order to return the other headers.
answered May 2 at 10:31


womble♦womble
86.2k18147205
86.2k18147205
This was it mate, legend. I addedalways;
to each of those complaining headers. Thanks again, Jonny
– jonny21
May 2 at 22:36
add a comment |
This was it mate, legend. I addedalways;
to each of those complaining headers. Thanks again, Jonny
– jonny21
May 2 at 22:36
This was it mate, legend. I added
always;
to each of those complaining headers. Thanks again, Jonny– jonny21
May 2 at 22:36
This was it mate, legend. I added
always;
to each of those complaining headers. Thanks again, Jonny– jonny21
May 2 at 22:36
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f965513%2fnginx-security-headers-within-location-block%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Is that the entire location block?
– womble♦
May 2 at 7:31
Hi womble, yes it is. Just left out the final
– jonny21
May 2 at 9:19