Behavior of security headers

B.R. reallfqq-nginx at yahoo.fr
Mon Jan 26 16:03:06 UTC 2015


Hello,

I guess the 'problem' you are struggling with is one you seem to inflict to
yourself.

As Valentin explained, and as it is the case with other directives as well (
fastcgi_param
<http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html#fastcgi_param>
immediately comes to my mind), if you specify some add_header
<http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header>
directives at a certain level, it will cut-off the default inheritance
property, effectively *not* applying add_header directives defined at upper
levels.

The real question here is:
Why do you wanna avoid duplicating the common add_header fields over all
the locations?
The obvious answer being the 'ease' of maintenance is maybe flawed:

   1. Two years later, to know the configuration applied to a location by a
   certain directive, you would need to look at several places. If you forgot
   you put some at server levels, you might end up with 'strange' behaviors.
   Even more true if the maintenance is done by someone else...
   2. If you want to replace the configuration of a directive amongst all
   locations where it is defined, standard Linux (UNIX?) commands such as
   grep, sed, cut, awk, etc. are there to handle such repetitive job.
   3. Finally, generating similar or identical copies of the same blocks on
   high volumes is generally not done by hand, but rather with tools such as
   configuration management ones.


I suggest you watch the video 'Scalable configuration' from Igor Sysoev
<https://youtu.be/YWRYbLKsS0I>, recorded during the nginx user conference
from last year: that would maybe help you understand better what I
attempted to explain here.

What you sometimes think is a problem might actually save you from actually
getting into trouble without even noticing it...
What is 'unefficient' to human eyes might be 'irrelevant' machine-wise...
reverse might also be true. :o)
---
*B. R.*

On Mon, Jan 26, 2015 at 3:35 PM, okamzol <nginx-forum at nginx.us> wrote:

> OK, if I understand this right - in my original config I have 2 additional
> add_header (cache-control) directives in /image location. And these 2
> directives prevent that the security headers will be applied on server
> level? It seems so as this will explain why it works when I apply the
> sec.headers on location level...
>
> But how to handle domain-wide headers like those security headers and
> location specific ones like cache-control? I mean, without repeating all
> securty headers in each location?
>
> Posted at Nginx Forum:
> http://forum.nginx.org/read.php?2,256270,256276#msg-256276
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20150126/7813eb9a/attachment-0001.html>


More information about the nginx mailing list