security_headers_text_types
The `security_headers_text_types` directive specifies the MIME types for which security headers will be applied in the response.
Description
The security_headers_text_types directive in NGINX defines a list of MIME types that will have security headers applied during the response process. When this directive is set, the server checks the Content-Type of the response and only applies the specified security headers for matching types. This is particularly useful in ensuring that headers such as X-Frame-Options, X-XSS-Protection, and others are only sent for relevant response types, enhancing security while preventing unnecessary headers from being sent for media types where they are not applicable, such as CSS or images.
The directive takes one or more MIME types as arguments, and it can be configured in the http, server, or location directives. For example, a common configuration might involve specifying text-based types such as text/html, application/xhtml+xml, and text/xml to ensure security headers are applied only to HTML content—all types that benefit from enhanced security headers. Conversely, binary types should typically be excluded from this list to avoid sending headers where they do not provide security benefits.
By default, this directive may not have any MIME types specified, thus if omitted, the module could default to a pre-configured set based on typical web application needs. It is vital for administrators to consider their content types when configuring this directive to balance security and performance appropriately.
Config Example
http {
security_headers on;
security_headers_text_types text/html text/xml;
}Be careful to list only applicable MIME types; including binary types can result in unnecessary headers being sent.
Ensure that the declaration order in the configuration does not overshadow local settings with global ones.