security_headers_frame
The 'security_headers' directive enables the addition of various security headers to HTTP responses in NGINX.
Description
The 'security_headers' directive is intended to enhance the security of web applications by automatically including a standard set of security-related headers in the HTTP responses served by NGINX. By using this directive, administrators can mitigate common security vulnerabilities such as clickjacking, content type sniffing, and information leakage related to server versions. The directive can be set globally or at specific levels: http, server, or location, thereby providing flexibility in applying the security measures only where needed.
When enabled, the 'security_headers' directive configures the web server to add several key HTTP security headers: X-Frame-Options: SAMEORIGIN, which prevents the site from being embedded in frames on other sites to mitigate clickjacking attacks; X-XSS-Protection: 0, which disables the built-in XSS filtering mechanism of browsers, as it's often ineffective; Referrer-Policy: strict-origin-when-cross-origin, which controls the information sent with navigational requests; and X-Content-Type-Options: nosniff, which ensures that browsers only interpret files as the content type specified in the Content-Type header, preventing certain attacks. By integrating these headers into the server responses, the directive helps ensure that web applications are more resilient against common security threats.
Config Example
http {
security_headers on;
}Remember to test the configuration in staging before deploying to production, as excessive security headers could impact compatibility with some applications.
Ensure that other security modules or headers do not conflict with those generated by this directive.
Review the impact of the 'HSTS preload' option to avoid unintended strict transport security policies if domains will be accessed over HTTP.