 |
NGINX for Mozilla HTTP Observatory |
|
2023-10-23 |
|
Last edit: 2023-10-23 |
|
--------------------- |
|
|
|
Website security, whether in terms of cookies or HTTP headers, is still very im… |
|
|
|
This is a tool set up by Mozilla in the form of a website. It assigns a securit… |
|
|
|
For the technical part with NGINX, I've chosen to use [this website](/) as an e… |
|
|
|
## NGINX security |
|
|
|
### HTTP to HTTPS redirection |
|
|
|
The first thing to do with NGINX is to redirect HTTP traffic to an HTTPS port. |
|
|
|
```nginx |
|
server { |
|
listen 80; |
|
listen [::]:80; |
|
|
|
return 301 https://$host$request_uri; |
|
} |
|
``` |
|
|
|
The HTTP 301 status code is used to tell the browser to redirect to another URL. |
|
|
|
### SSL parameters |
|
|
|
```nginx |
|
ssl_session_timeout 1d; |
|
|
|
# Disable SSL session tickets |
|
ssl_session_tickets off; |
|
|
|
# Enable and verify SSL stapling |
|
ssl_stapling on; |
|
ssl_stapling_verify on; |
|
|
|
# Stapling certificate |
|
ssl_trusted_certificate /path/fullchain.pem; |
|
|
|
# Specific DNS server for the resolver |
|
resolver 1.1.1.1; |
|
resolver_timeout 5s; |
|
``` |
|
|
|
Enabling stapling reduces latency for the client. This is because the SSL certi… |
|
|
|
### HTTP basics security headers |
|
|
|
```nginx |
|
# Instructs the browser to use HTTPS |
|
add_header Strict-Transport-Security "max-age=63072000" always; |
|
|
|
# Enables a cross-site scripting (XSS) protection feature |
|
add_header X-XSS-Protection "1; mode=block"; |
|
|
|
# Disables resource content type guessing |
|
add_header X-Content-Type-Options "nosniff"; |
|
|
|
# Controls how the Referer header is sent in requests |
|
add_header Referrer-Policy "no-referrer"; |
|
|
|
# Defines the permissions for specific web features |
|
add_header Permissions-Policy "microphone=(), geolocation=()"; |
|
|
|
# Disables embed iframe of this website on another website |
|
add_header X-Frame-Options "DENY"; |
|
``` |
|
|
|
Also, another important point checked by Mozilla Observatory is the Content Sec… |
|
|
|
### Dynamic Content Security Policies |
|
|
|
```nginx |
|
sub_filter_once off; |
|
sub_filter nonce_value $ssl_session_id; |
|
|
|
add_header Content-Security-Policy "default-src 'none'; font-src 'self'; style-… |
|
``` |
|
|
|
`sub_filter` is a directive from the `ngx_http_sub_module` NGINX module. It is … |
|
|
|
In effect, here I'm generating a random value with NGINX that will replace `non… |
|
``` |
|
|
|
The CSP header in the HTTP response will therefore indicate that style tags wit… |
|
|
|
Just like `sha256-2daR3BDHUgNt2bWp/u+3CNDJtsIDrpz+22+QPnNNS5c=` which represent… |
|
