Nginx WordPress Security headers

servicioexpreso · February 28, 2023, 9:43pm

How I can add additional security headers?

P.S. - I cannot use $HOMEDIR/$user/conf/web/$domain/nginx.hsts_custom.conf as it break the site.

# BEGIN Security Headers
server {
  # Basic Security headers
  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS
  add_header Content-Security-Policy "upgrade-insecure-requests"
  add_header X-Frame-Options "SAMEORIGIN"
  add_header X-Content-Type-Options "nosniff"
  add_header Referrer-Policy "strict-origin-when-cross-origin"
  add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(), gamepad=(), speaker-selection=(), conversion-measurement=(), focus-without-user-activation=(), hid=(), idle-detection=(), interest-cohort=(), serial=(), sync-script=(), trust-token-redemption=(), window-placement=(), vertical-scroll=()"
}
# END Security Headers

eris · February 28, 2023, 10:11pm

Remove:

# BEGIN Security Headers
server {


}

But leave everything else

servicioexpreso · February 28, 2023, 10:28pm

Thanks, but it not works.

STEPS

I uncheck in GUI “Enable HTTP Strict Transport Security (HSTS)”
I launch nano $HOMEDIR/$user/conf/web/$domain/nginx.hsts_custom.conf (obviously with my data) and add

` add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS

add_header Content-Security-Policy "upgrade-insecure-requests"

add_header X-Frame-Options "SAMEORIGIN"

add_header X-Content-Type-Options "nosniff"

add_header Referrer-Policy "strict-origin-when-cross-origin"

add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(), gamepad=(), speaker-selection=(), conversion-measurement=(), focus-without-user-activation=(), hid=(), idle-detection=(), interest-cohort=(), serial=(), sync-script=(), trust-token-redemption=(), window-placement=(), vertical-scroll=()"`

Reboot
WordPress site is on, but https://securityheaders.com not detect changes.

Are you sure (or I did some mistake)?

eris · February 28, 2023, 11:10pm

nginx.conf_hsts_custom

If I am right

servicioexpreso · February 28, 2023, 11:22pm

NOPE. It break also WP site.

eris · February 28, 2023, 11:29pm

nginx.conf_*;

Format should be correct

Any errors?

servicioexpreso · March 1, 2023, 12:06am

YEAP.

I do nano nginx.conf_hsts_custom
To simplify (avoid possible syntax error) I add ONLY Hestia original syntax

add_header Strict-Transport-Security "max-age=15768000;" always;

Reboot
On https://securityheaders.com is still unrecognized change,

P.S. - if we can do it, I agree to send you on private messaging credentials and data to check yourself.

pluto · March 1, 2023, 4:56am

I have a file which I created called
/home/user/conf/web/domain.com/nginx.conf_security
It contains eg.

add_header Set-Cookie "Path=/; HttpOnly; Secure";
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy "strict-origin";

Run nginx -t to check for errors.
Then systemctl restart nginx
The headers are detected correctly.

servicioexpreso · March 1, 2023, 11:04am

There was errors in syntax (now fixed and test passed well).
On https://securityheaders.com is still unrecognized change.

Any idea what could be wrong?

pluto · March 2, 2023, 1:56am

All I can think of is if you have a proxy in between your website and securityheaders.com which is re-writing the headers. Cloudflare? Some other CDN?

servicioexpreso · March 2, 2023, 2:25am

NOPE. I’m on Oracle 4 x 24 ARM free tier and I thought that could be some issue in server installation, so I deleted instance. Per moment is issue that Oracle per moment not allow me vs capacity in domain (Ashburn, on free tier cannot be changed).

So, I will be back when I install it again and try again.

P.S. - Let topic open.

system · April 1, 2023, 2:26am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.