Welcome! Log In Create A New Profile

Advanced

Behavior of security headers

January 26, 2015 06:19AM
Hi,

I've a question regarding the different security headers (Content-Security-Policy, etc.) which can be set via add_header.
In the docs it is mentioned that "add_header" can be set on every level (http, server, location). So i tried to set some security related header in the server block related to one domain. But this did not work as expected - in detail it did not work at all. Even the "Strict-Transport-Security" header did not work on server level...

My first guess was that the used nginx version (1.6.2 stable) may have some problems.. So I've updated to 1.7.9 from mainline repo. But nothing changed...

After some resultless googling for this problem I tried a lot of combinations and found that all headers work on only on location level - which confused me. In my opinion these headers shall work on server level as well or do I misunderstand something in these mechanisms?


config of my first try (NOT working)
server {
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload;";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https:; connect-src 'self' https:; img-src 'self' https:; style-src 'self' 'unsafe-inline' https:; font-src 'self' https:; frame-src 'self' https:; object-src 'none';";
...
location / ....
}

config of confused last try (WORKS)
server {
...
location / {
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload;";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https:; connect-src 'self' https:; img-src 'self' https:; style-src 'self' 'unsafe-inline' https:; font-src 'self' https:; frame-src 'self' https:; object-src 'none';";
}
}

And btw. yes - I've restarted nginx after each config change and also emptied my browser cache before inspecting the headers.

Thanks for help and enlightenment :-)
Oliver
Subject Author Posted

Behavior of security headers

okamzol January 26, 2015 06:19AM

Re: Behavior of security headers

Valentin V. Bartenev January 26, 2015 08:32AM

Re: Behavior of security headers

okamzol January 26, 2015 08:38AM

Re: Behavior of security headers

Valentin V. Bartenev January 26, 2015 08:50AM

Re: Behavior of security headers

okamzol January 26, 2015 09:35AM

Re: Behavior of security headers

B.R. January 26, 2015 11:06AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 103
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready