nginx - Security headers within location block?nginx HTTPS serving with same config as HTTPIn Nginx, how can I rewrite all http requests to https while maintaining sub-domain?nginx - selective rewrite within a location blocknginx: Specify custom headers in rewritten location blocksNginx/Apache: set HSTS only if X-Forwarded-Proto is httpsNginx location block ruleInherit proxy_set_header when using it in location blockNGINX redirect HTTPS partially worksNGINX location block matchingConfigure NGINX : How to handle 500 Error on upstream itself, While Nginx handle other 5xx errors

What does i386 mean on macOS Mojave?

Ex-manager wants to stay in touch, I don't want to

Does Lawful Interception of 4G / the proposed 5G provide a back door for hackers as well?

Word for being out at night during curfew

What does a comma mean inside an 'if' statement?

On studying Computer Science vs. Software Engineering to become a proficient coder

Plastic-on-plastic lubricant that wont leave a residue?

Drawing lines to nearest point

How to cope with regret and shame about not fully utilizing opportunities during PhD?

Find the cipher used

List software from restricted, multiverse separately

tikz: not so precise graphic

How to Access data returned from Apex class in JS controller using Lightning web component

51% attack - apparently very easy? refering to CZ's "rollback btc chain" - How to make sure such corruptible scenario can never happen so easily?

Why was castling bad for white in this game, and engine strongly prefered trading queens?

Why do Thanos's punches not kill Captain America or at least cause some mortal injuries?

Can I use my laptop, which says 100-240V, in the USA?

Why was Endgame Thanos so different than Infinity War Thanos?

What's special about a Bunsen burner?

How does noise-cancellation work in Mac laptops?

SSD - Disk is OK, one bad sector

How does Howard Stark know this?

Run script for 10 times until meets the condition, but break the loop if it meets the condition during iteration

How to slow yourself down (for playing nice with others)



nginx - Security headers within location block?


nginx HTTPS serving with same config as HTTPIn Nginx, how can I rewrite all http requests to https while maintaining sub-domain?nginx - selective rewrite within a location blocknginx: Specify custom headers in rewritten location blocksNginx/Apache: set HSTS only if X-Forwarded-Proto is httpsNginx location block ruleInherit proxy_set_header when using it in location blockNGINX redirect HTTPS partially worksNGINX location block matchingConfigure NGINX : How to handle 500 Error on upstream itself, While Nginx handle other 5xx errors






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;








1















I have been testing the security headers (https://securityheaders.com) of my nginx setup and wanted to check peoples opinion with nginx suffix location blocks.



Currently, I get 'A+' for http(s)://my.site however, 'B' when testing a suffix location ie https://my.site/location1



The warnings are for missing:-



  • Content-Security-Policy

  • Referrer-Policy

  • Feature-Policy

My server block which receives 'A+' consists of:-



 add_header 'Referrer-Policy' 'no-referrer';
 add_header Strict-Transport-Security "max-age=15552000; preload" always;
 add_header X-Frame-Options "SAMEORIGIN" always;
 add_header X-Content-Type-Options "nosniff" always;
 add_header X-XSS-Protection "1; mode=block" always;
 add_header Feature-Policy "geolocation none;midi none;notifications none;push none;sync-xhr none;microphone none;camera none;magnetometer none;gyroscope none;;speaker self;vibrate none;fullscreen self;payment none;";
 add_header Content-Security-Policy "frame-ancestors my.site;";


an example location block that receives 'B' consists of:-



location /location1 improve this question






















  • Is that the entire location block?

    – womble
    May 2 at 7:31











  • Hi womble, yes it is. Just left out the final

    – jonny21
    May 2 at 9:19

















1















I have been testing the security headers (https://securityheaders.com) of my nginx setup and wanted to check peoples opinion with nginx suffix location blocks.



Currently, I get 'A+' for http(s)://my.site however, 'B' when testing a suffix location ie https://my.site/location1



The warnings are for missing:-



  • Content-Security-Policy

  • Referrer-Policy

  • Feature-Policy

My server block which receives 'A+' consists of:-



 add_header 'Referrer-Policy' 'no-referrer';
 add_header Strict-Transport-Security "max-age=15552000; preload" always;
 add_header X-Frame-Options "SAMEORIGIN" always;
 add_header X-Content-Type-Options "nosniff" always;
 add_header X-XSS-Protection "1; mode=block" always;
 add_header Feature-Policy "geolocation none;midi none;notifications none;push none;sync-xhr none;microphone none;camera none;magnetometer none;gyroscope none;;speaker self;vibrate none;fullscreen self;payment none;";
 add_header Content-Security-Policy "frame-ancestors my.site;";


an example location block that receives 'B' consists of:-



location /location1 improve this question






















  • Is that the entire location block?

    – womble
    May 2 at 7:31











  • Hi womble, yes it is. Just left out the final

    – jonny21
    May 2 at 9:19













1












1








1








I have been testing the security headers (https://securityheaders.com) of my nginx setup and wanted to check peoples opinion with nginx suffix location blocks.



Currently, I get 'A+' for http(s)://my.site however, 'B' when testing a suffix location ie https://my.site/location1



The warnings are for missing:-



  • Content-Security-Policy

  • Referrer-Policy

  • Feature-Policy

My server block which receives 'A+' consists of:-



 add_header 'Referrer-Policy' 'no-referrer';
 add_header Strict-Transport-Security "max-age=15552000; preload" always;
 add_header X-Frame-Options "SAMEORIGIN" always;
 add_header X-Content-Type-Options "nosniff" always;
 add_header X-XSS-Protection "1; mode=block" always;
 add_header Feature-Policy "geolocation none;midi none;notifications none;push none;sync-xhr none;microphone none;camera none;magnetometer none;gyroscope none;;speaker self;vibrate none;fullscreen self;payment none;";
 add_header Content-Security-Policy "frame-ancestors my.site;";


an example location block that receives 'B' consists of:-



location /location1  












  • Is that the entire location block?

    – womble
    May 2 at 7:31











  • Hi womble, yes it is. Just left out the final

    – jonny21
    May 2 at 9:19
















Is that the entire location block?

– womble
May 2 at 7:31





Is that the entire location block?

– womble
May 2 at 7:31













Hi womble, yes it is. Just left out the final }

– jonny21
May 2 at 9:19





Hi womble, yes it is. Just left out the final }

– jonny21
May 2 at 9:19










1 Answer
1






active

oldest

votes


















1














The headers that are reported as being missing are lacking an always directive. I'm guessing that whatever is being tested against isn't returning one of the response codes that add_header wants in order to return the other headers.






share|improve this answer























  • This was it mate, legend. I added always; to each of those complaining headers. Thanks again, Jonny

    – jonny21
    May 2 at 22:36












Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f965513%2fnginx-security-headers-within-location-block%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









1














The headers that are reported as being missing are lacking an always directive. I'm guessing that whatever is being tested against isn't returning one of the response codes that add_header wants in order to return the other headers.






share|improve this answer























  • This was it mate, legend. I added always; to each of those complaining headers. Thanks again, Jonny

    – jonny21
    May 2 at 22:36
















1














The headers that are reported as being missing are lacking an always directive. I'm guessing that whatever is being tested against isn't returning one of the response codes that add_header wants in order to return the other headers.






share|improve this answer























  • This was it mate, legend. I added always; to each of those complaining headers. Thanks again, Jonny

    – jonny21
    May 2 at 22:36














1












1








1







The headers that are reported as being missing are lacking an always directive. I'm guessing that whatever is being tested against isn't returning one of the response codes that add_header wants in order to return the other headers.






share|improve this answer













The headers that are reported as being missing are lacking an always directive. I'm guessing that whatever is being tested against isn't returning one of the response codes that add_header wants in order to return the other headers.







share|improve this answer












share|improve this answer



share|improve this answer










answered May 2 at 10:31









womblewomble

86.2k18147205




86.2k18147205












  • This was it mate, legend. I added always; to each of those complaining headers. Thanks again, Jonny

    – jonny21
    May 2 at 22:36


















  • This was it mate, legend. I added always; to each of those complaining headers. Thanks again, Jonny

    – jonny21
    May 2 at 22:36

















This was it mate, legend. I added always; to each of those complaining headers. Thanks again, Jonny

– jonny21
May 2 at 22:36






This was it mate, legend. I added always; to each of those complaining headers. Thanks again, Jonny

– jonny21
May 2 at 22:36


















draft saved

draft discarded
















































Thanks for contributing an answer to Server Fault!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f965513%2fnginx-security-headers-within-location-block%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Wikipedia:Vital articles Мазмуну Biography - Өмүр баян Philosophy and psychology - Философия жана психология Religion - Дин Social sciences - Коомдук илимдер Language and literature - Тил жана адабият Science - Илим Technology - Технология Arts and recreation - Искусство жана эс алуу History and geography - Тарых жана география Навигация менюсу

Image
centralized watchlist Wikipedia:Vital articles Wikipedia дан Jump to navigation Jump to search This is a list of basic subjects for which Wikipedia should have a corresponding high-quality article, and ideally a featured article. It also serves as a centralized watchlist and tracks the status of some of Wikipedia's most essential articles. Ideally this page should list approximately 1,000 of the most vital Wikipedia articles. Мазмуну 1 Biography - Өмүр баян 1.1 Actors, dancers and models - Актёрлор, бийчилер жана моделдер 1.2 Artists and architects - Сүрөтчүлөр жана архитекторлор 1.3 Authors, playwrights and poets - Жазуучулар, драматургдар жана акындар 1.4 Composers and musicians - Композиторлор жана музыканттар 1.5 Explorers and travelers - Изилдөөчүлөр менен саякатчылар 1.6 Film directors and screenwriters - Режиссёрлор жана сценаристтер 1.7 Inventors, scientists and mathematicians - Ойлоп табуучулар, окумуштуулар жана математиктер
Read more

Bruxelas-Capital Índice Historia | Composición | Situación lingüística | Clima | Cidades irmandadas | Notas | Véxase tamén | Menú de navegacióneO uso das linguas en Bruxelas e a situación do neerlandés"Rexión de Bruxelas Capital"o orixinalSitio da rexiónPáxina de Bruselas no sitio da Oficina de Promoción Turística de Valonia e BruxelasMapa Interactivo da Rexión de Bruxelas-CapitaleeWorldCat332144929079854441105155190212ID28008674080552-90000 0001 0666 3698n94104302ID540940339365017018237

Image
AnderlechtCidade de BruxelasIxellesEtterbeekEvereGanshorenJetteKoekelbergAuderghemSchaerbeekBerchem-Sainte-AgatheSaint-GillesMolenbeek-Saint-JeanSaint-Josse-ten-NoodeWoluwe-Saint-LambertWoluwe-Saint-PierreUccleForestWatermaal-Bosvoorde Comunidade Francesa de Bélxica Comunidade Flamenga de Bélxica Comunidade Xermanófona de Bélxica Bruxelas-CapitalRexións de Bélxica francésneerlandésRexiónsBélxicacomunidade francesacomunidade flamengafrancófonaflamengaUnión EuropeaMagrebMarrocosTurquíaAméricaÁfricaRepública Democrática do CongoEuropa central18 de xuño1989FlandresRexión Valoaflamengaséculo XIXClasificación climática de Köppen Bruxelas-Capital Na Galipedia, a Wikipedia en galego. Saltar ata a navegación Saltar á procura Para outras páxinas con títulos homónimos véxase: Bruxelas . Région de Bruxelles-Capitale Brussels Hoofdstedelijk Gewest Bandeira Estado Bélxica Capital Cidade de Bruxelas  • Poboación n/d Lingua oficial As dúas Superficie  • Total 1
Read more

What should I write in an apology letter, since I have decided not to join a company after accepting an offer letterShould I keep looking after accepting a job offer?What should I do when I've been verbally told I would get an offer letter, but still haven't gotten one after 4 weeks?Do I accept an offer from a company that I am not likely to join?New job hasn't confirmed starting date and I want to give current employer as much notice as possibleHow should I address my manager in my resignation letter?HR delayed background verification, now jobless as resignedNo email communication after accepting a formal written offer. How should I phrase the call?What should I do if after receiving a verbal offer letter I am informed that my written job offer is put on hold due to some internal issues?Should I inform the current employer that I am about to resign within 1-2 weeks since I have signed the offer letter and waiting for visa?What company will do, if I send their offer letter to another company

Image
When is the original BFGS algorithm still better than the Limited-Memory version? How well known and how commonly used was Huffman coding in 1979? Inverse-quotes-quine Can the US president have someone sent to jail? Employer wants to use my work email account after I quit, is this legal under German law? Is this a GDPR waiver? Do French speakers not use the subjunctive informally? Low-gravity Bronze Age fortifications Does ultrasonic bath cleaning damage laboratory volumetric glassware calibration? Why do some games show lights shine through walls? Unusual mail headers, evidence of an attempted attack. Have I been pwned? Smooth Julia set for quadratic polynomials Require advice on power conservation for backpacking trip Dimensions of list used in test C-152 carb heat on before landing in hot weather? Is my Rep in Stack-Exchange Form? What happens when your group is victim of a surprise attack but you can't be surprised? How come I was asked by a CBP
Read more