Hi,
I've a question regarding the different security headers (Content-Security-Policy, etc.) which can be set via add_header.
In the docs it is mentioned that "add_header" can be set on every level (http, server, location). So i tried to set some security related header in the server block related to one domain. But this did not work as expected - in detail it did not work at all. Even the "Strict-Transport-Security" header did not work on server level...
My first guess was that the used nginx version (1.6.2 stable) may have some problems.. So I've updated to 1.7.9 from mainline repo. But nothing changed...
After some resultless googling for this problem I tried a lot of combinations and found that all headers work on only on location level - which confused me. In my opinion these headers shall work on server level as well or do I misunderstand something in these mechanisms?
config of my first try (NOT working)
server {
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload;";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https:; connect-src 'self' https:; img-src 'self' https:; style-src 'self' 'unsafe-inline' https:; font-src 'self' https:; frame-src 'self' https:; object-src 'none';";
...
location / ....
}
config of confused last try (WORKS)
server {
...
location / {
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload;";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https:; connect-src 'self' https:; img-src 'self' https:; style-src 'self' 'unsafe-inline' https:; font-src 'self' https:; frame-src 'self' https:; object-src 'none';";
}
}
And btw. yes - I've restarted nginx after each config change and also emptied my browser cache before inspecting the headers.
Thanks for help and enlightenment :-)
Oliver
I've a question regarding the different security headers (Content-Security-Policy, etc.) which can be set via add_header.
In the docs it is mentioned that "add_header" can be set on every level (http, server, location). So i tried to set some security related header in the server block related to one domain. But this did not work as expected - in detail it did not work at all. Even the "Strict-Transport-Security" header did not work on server level...
My first guess was that the used nginx version (1.6.2 stable) may have some problems.. So I've updated to 1.7.9 from mainline repo. But nothing changed...
After some resultless googling for this problem I tried a lot of combinations and found that all headers work on only on location level - which confused me. In my opinion these headers shall work on server level as well or do I misunderstand something in these mechanisms?
config of my first try (NOT working)
server {
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload;";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https:; connect-src 'self' https:; img-src 'self' https:; style-src 'self' 'unsafe-inline' https:; font-src 'self' https:; frame-src 'self' https:; object-src 'none';";
...
location / ....
}
config of confused last try (WORKS)
server {
...
location / {
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload;";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https:; connect-src 'self' https:; img-src 'self' https:; style-src 'self' 'unsafe-inline' https:; font-src 'self' https:; frame-src 'self' https:; object-src 'none';";
}
}
And btw. yes - I've restarted nginx after each config change and also emptied my browser cache before inspecting the headers.
Thanks for help and enlightenment :-)
Oliver