[PATCH] Config: enhancing nginx default config file with added security options
Kristian Erik Hermansen
kristian.hermansen at gmail.com
Thu Jul 31 10:56:59 UTC 2014
# HG changeset patch
# User Kristian Erik Hermansen <kristian.hermansen at gmail.com>
# Date 1406803911 25200
# Thu Jul 31 03:51:51 2014 -0700
# Node ID 8966ff589f5de5e9155335373247de4485451304
# Parent e0eaf2d92a8cee90abe592d7ac01d3118cb0853a
Config: enhancing nginx default config file with added security options.
diff -r e0eaf2d92a8c -r 8966ff589f5d conf/nginx.conf
--- a/conf/nginx.conf Wed Jul 30 04:32:16 2014 -0700
+++ b/conf/nginx.conf Thu Jul 31 03:51:51 2014 -0700
@@ -105,9 +105,34 @@
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 5m;
+ # recommended protocols that provide better security and compatibility
+ #
+ # ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
+
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
+ # security headers recommended by OWASP to block common attacks
+ #
+ # add_header X-Frame-Options 'DENY';
+ # add_header X-Content-Type-Options 'nosniff';
+ # add_header X-XSS-Protection '1; mode=block';
+ # add_header Cache-Control 'no-cache, no-store, must-revalidate';
+ # add_header Pragma 'no-cache';
+ # add_header Expires '-1';
+ #
+ # security headers that require additional configuration
+ #
+ # #add_header X-Permitted-Cross-Domain-Policies 'master-only';
+ # #add_header Content-Security-Policy-Report-Only "default-src
'self'; report-uri /csp_report_parser";
+ # #add_header Content-Security-Policy "default-src 'self';
report-uri /csp_report_parser";
+ #
+ # security header required to attain an 'A+' rating via Qualys SSL Labs
+ #
+ # #add_header Strict-Transport-Security 'max-age=31536000';
+
+ # charset utf-8;
+
# location / {
# root html;
# index index.html index.htm;
--
Regards,
Kristian Erik Hermansen
https://www.linkedin.com/in/kristianhermansen
https://google.com/+KristianHermansen
More information about the nginx-devel
mailing list