Additional nginx config for PCI compliance - details

Hello all,

If you run a test at immuniweb.com/ssl/ your last pass result may now be lower and will not pass next scan.

As I require PCI compliance I ran into a few new items that have been added to testing (or did not apply on last test I had with Security Metrics) Items just added in nginx config have – in front.

If using the below remove the – if copy & paste

Using the below example you should be back to passing, you can customize them to your requirement.

add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;

add_header Referrer-Policy same-origin; –
add_header X-XSS-Protection “1; mode=block”;
add_header Expect-CT ‘max-age=60’; –
add_header X-Permitted-Cross-Domain-Policies master-only; –
add_header Strict-Transport-Security ‘max-age=31536000; includeSubDomains; preload’;
add_header Content-Security-Policy “default-src ‘self’;”; –
add_header Content-Security-Policy-Report-Only “default-src ‘self’”; –
add_header Feature-Policy “geolocation ‘none’; camera ‘none’; speaker ‘none’;”; –

Thanks for your Suggestions Salnz,
they are definitely good and many people use them, however they are bit too strict for the average hosting and may interfere with a few legacy apps that require CSRF (cross site request forgery) relaxed.

As always the case, if you need these to be implimented for all your sites, it would be better you :

  1. Make your own templates and select them (recommended)

  2. Edit default Hestia Templates to add these… but mind that they will be reset when hestia updates and you will need to add them again :slight_smile:

Regards