Additional nginx config for PCI compliance - details

Hello all,

If you run a test at your last pass result may now be lower and will not pass next scan.

As I require PCI compliance I ran into a few new items that have been added to testing (or did not apply on last test I had with Security Metrics) Items just added in nginx config have – in front.

If using the below remove the – if copy & paste

Using the below example you should be back to passing, you can customize them to your requirement.

add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;

add_header Referrer-Policy same-origin; –
add_header X-XSS-Protection “1; mode=block”;
add_header Expect-CT ‘max-age=60’; –
add_header X-Permitted-Cross-Domain-Policies master-only; –
add_header Strict-Transport-Security ‘max-age=31536000; includeSubDomains; preload’;
add_header Content-Security-Policy “default-src ‘self’;”; –
add_header Content-Security-Policy-Report-Only “default-src ‘self’”; –
add_header Feature-Policy “geolocation ‘none’; camera ‘none’; speaker ‘none’;”; –