security_headers

The 'security_headers' directive belongs to the NGINX module specifically designed to send security headers in HTTP responses. When this directive is set to 'on', it activates a predefined set of HTTP security headers that enhance the security of the web application. These headers include 'X-Frame-Options' set to 'SAMEORIGIN', 'X-XSS-Protection' disabled with a value of '0', 'Referrer-Policy' set to 'strict-origin-when-cross-origin', and 'X-Content-Type-Options' set to 'nosniff'. This module works by inspecting the types of content being served and ensuring that the correct security headers are only applied where applicable, such as to HTML content, without sending unnecessary headers for other content types (like CSS or JS).

One of the prominent features of this directive is its compliance with modern web standards, particularly regarding the handling of the 'Strict-Transport-Security' (HSTS) header, which is included in the default settings of this module. This means that if the 'security_headers' directive is enabled, it ensures that the HSTS header is applied appropriately. There's a caveat, though: if HSTS is included, the 'hsts_preload' behavior can cause the site to be included in Chrome's preload list, which may not be desired for sites that need to be accessible over plain HTTP at any point. Thus, administrators must ensure they fully understand the implications of using this directive, especially concerning security and HTTP accessibility for any subdomains.