Behavior of security headers

okamzol nginx-forum at nginx.us
Mon Jan 26 11:19:54 UTC 2015 

Hi,

I've a question regarding the different security headers
(Content-Security-Policy, etc.) which can be set via add_header. 
In the docs it is mentioned that "add_header" can be set on every level
(http, server, location). So i tried to set some security related header in
the server block related to one domain. But this did not work as expected -
in detail it did not work at all. Even the "Strict-Transport-Security"
header did not work on server level...

My first guess was that the used nginx version (1.6.2 stable) may have some
problems.. So I've updated to 1.7.9 from mainline repo. But nothing
changed...

After some resultless googling for this problem I tried a lot of
combinations and found that all headers work on only on location level -
which confused me. In my opinion these headers shall work on server level as
well or do I misunderstand something in these mechanisms?


config of my first try (NOT working)
server {
   add_header Strict-Transport-Security "max-age=31536000;
includeSubdomains; preload;";
   add_header X-Frame-Options SAMEORIGIN;
   add_header X-Content-Type-Options "nosniff";
   add_header X-XSS-Protection "1; mode=block";
   add_header Content-Security-Policy "default-src 'none'; script-src 'self'
'unsafe-inline' 'unsafe-eval' https:; connect-src 'self' https:; img-src
'self' https:; style-src 'self' 'unsafe-inline' https:; font-src 'self'
https:; frame-src 'self' https:; object-src 'none';";
   ...
   location / ....
}

config of confused last try (WORKS)
server {
   ...
   location / {
      add_header Strict-Transport-Security "max-age=31536000;
includeSubdomains; preload;";
      add_header X-Frame-Options SAMEORIGIN;
      add_header X-Content-Type-Options "nosniff";
      add_header X-XSS-Protection "1; mode=block";
      add_header Content-Security-Policy "default-src 'none'; script-src
'self' 'unsafe-inline' 'unsafe-eval' https:; connect-src 'self' https:;
img-src 'self' https:; style-src 'self' 'unsafe-inline' https:; font-src
'self' https:; frame-src 'self' https:; object-src 'none';";
   }
}

And btw. yes - I've restarted nginx after each config change and also
emptied my browser cache before inspecting the headers.

Thanks for help and enlightenment :-)
   Oliver

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,256270,256270#msg-256270

More information about the nginx mailing list