Hi, I am using HestiaCP default setup with Nginx proxy+Apache web server. For header security settings. should I add on both NGINX and Apache? will it make any benefit or will be excessively double loaded?
Thanks
NGINX
add_header Content-Security-Policy upgrade-insecure-requests;
add_header X-XSS-Protection “1; mode=block”;
add_header X-Content-Type-Options “nosniff”;
add_header Expect-CT ‘enforce; max-age=7776000’;
add_header X-Frame-Options “SAMEORIGIN”;
APACHE
Header always set Strict-Transport-Security: “max-age=31536000” env=HTTPS
Header always set X-Content-Type-Options “nosniff”
Header always set X-XSS-Protection “1; mode=block”
Header always set Expect-CT “max-age=7776000, enforce”
Header always set Referrer-Policy: “no-referrer-when-downgrade”
Header always set Content-Security-Policy “upgrade-insecure-requests”
Hi,
Only in one of them.
Also, keep in mind that for HSTS (Strict-Transport-Security) you can add it to your web domain directly from Hestia.
got it, thanks.
I’ve reading through the forum, saying NOT to modify these file directly.
/etc/apache2/apache2.conf
/etc/nginx/nginx.conf
May I know where should I put to custom config file to play safe if I want it to be site specific (prevent overwriting when upgraded)
I am trying to add some Apache custom setting but restart Apache failed
Add a new file to
/home/USERNAME/conf/web/DOMAIN/apache2.ssl.conf_customsec
Then add these 2 lines inside
ServerTokens Prod
ServerSignature Off
But then cannot restart Apache server. However, if I add these 2 lins directly to apache2.ssl.conf, it’s working
You can create specific web templates for your sites or you can also add conf files nginx.conf_whatever and nginx.ssl.conf_whatever and add there your directives to add the needed headers.
Those files must be created in /home/YourUser/conf/web/YourDomain/. Hestia web templates include these directives that will load those files.
In nginx.conf:
[...]
include /home/YourUser/conf/web/YourDomain/nginx.conf_*;
[...]
In nginx.ssl.conf:
[...]
include /home/YourUser/conf/web/YourDomain/nginx.ssl.conf_*;
[...]
Those files won’t be modified in upgrades or rebuilding your site. The same if you prefer to create your own web template.
Thanks, I’ve tried this on apache config but failed to restart Apache2 service
Add a new file to
/home/USERNAME/conf/web/DOMAIN/apache2.ssl.conf_customsec
Then add these 2 lines inside
ServerTokens Prod
ServerSignature Off
Those directives are global, so you can’t add them inside a VirtualHost. Also, there’s no need to include them, nobody will connect directly to Apache. Clients will only see Nginx, and Nginx already provides this “protection”.
❯ grep server_tokens /etc/nginx/nginx.conf
server_tokens off;
cool cool….thanks so much
Coz when I am doing phpinfo, I can still see the Apache version. (not sure if this is related to I’ve removed all proxy extension because my web app have issue with thus)
I will focus on adjusting other things primarily on Nginx now. Thanns
Because php is runing on Apache.
@sahsanu
I’ve got this setup and seems can balance security and accessibility. Please comment.
Create new template which applies to my web domains
/usr/local/hestia/data/templates/web/apache2/php-fpm/default_secured.stpl
/usr/local/hestia/data/templates/web/apache2/php-fpm/default_secured.tpl
Add following lines
ServerTokens Prod
ServerSignature Off
/usr/local/hestia/data/templates/web/nginx/default_secured.stpl
/usr/local/hestia/data/templates/web/nginx/default_secured.tpl
add following lines
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "upgrade-insecure-requests;";
add_header X-Content-Type-Options "nosniff";
add_header Referrer-Policy "strict-origin-when-cross-origin";
And then I’ve tried to run security scan from several website. Most are fine, but cyberchief.ai gives me some other security advise on Cross-Origin-XXXX
Then I try to search through google, but I think I am too limited in my knowledge to understand. May I seek for you advise whether needed to apply those Cross-Origin-XXXX header as well?
Thanks so much