NGINX Security Configurations for Web Applications
As a web application’s entry point, the web server plays a crucial role in ensuring the security and integrity of your online presence. NGINX is one of the most popular and widely-used web servers that offers numerous security configurations to protect against common web attacks.
In this article, we will delve into 11 essential NGINX security configurations for web applications that you should implement to safeguard your website from potential threats.
1. Enable HTTP Strict Transport Security (HSTS)
Enable HSTS to force browsers to communicate with your server using HTTPS only. This prevents the browser from making any HTTP requests, thus reducing the risk of man-in-the-middle attacks.
To enable HSTS in NGINX, add the following configuration:
nginx
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
2. Implement Content Security Policy (CSP)
Configure CSP to define which sources of content are allowed to be executed within your web application.
To implement CSP in NGINX, add the following configuration:
nginx
add_header Content-Security-Policy "default-src 'self'; script-src 'self' https://example.com";
3. Use SSL/TLS Certificates
Use trusted SSL/TLS certificates to encrypt communications between your web server and clients.
To configure NGINX with SSL/TLS certificates, add the following configuration:
“`nginx
server {
listen 443 ssl;
server_name example.com;
ssl_certificate /path/to/ssl/cert.crt;
ssl_certificate_key /path/to/ssl/key.key;
}
“`
4. Configure Rate Limiting
Implement rate limiting to prevent brute-force attacks on your login page or other sensitive endpoints.
To configure NGINX with rate limiting, add the following configuration:
nginx
http {
limit_req_zone $binary_remote_addr zone=one:10m rate=5r/s;
server {
location /login {
limit_req zone=one;
}
}
}
5. Protect Against SQL Injection Attacks
Implement input validation and sanitization to prevent malicious users from injecting SQL code into your database.
To protect against SQL injection attacks in NGINX, add the following configuration:
nginx
if ($query_string ~ " UNION ") {
return 403;
}
6. Use the X-Frame-Options Header
Configure the X-Frame-Options header to prevent clickjacking attacks.
To configure NGINX with the X-Frame-Options header, add the following configuration:
nginx
add_header X-Frame-Options "SAMEORIGIN";
7. Implement Two-Factor Authentication (2FA)
Configure 2FA to require users to provide an additional form of verification before accessing your web application.
To implement 2FA in NGINX, add the following configuration:
“`nginx
set $auth_header “auth: ${_}”;
if ($auth_header !~ “auth:”) {
return 401;
}
“`
8. Use the X-XSS-Protection Header
Configure the X-XSS-Protection header to enable protection against cross-site scripting (XSS) attacks.
To configure NGINX with the X-XSS-Protection header, add the following configuration:
nginx
add_header X-XSS-Protection "1";
9. Implement Referrer Policy
Configure a referrer policy to control which information is shared about the user’s browsing history.
To implement a referrer policy in NGINX, add the following configuration:
nginx
add_header Referrer-Policy "strict-origin";
10. Use the X-Content-Type-Options Header
Configure the X-Content-Type-Options header to prevent MIME-sniffing attacks.
To configure NGINX with the X-Content-Type-Options header, add the following configuration:
nginx
add_header X-Content-Type-Options "nosniff";
11. Use the Strict-Transport-Security-Report-Only Header
Configure a report-only strict transport security (HSTS) policy to test and monitor HSTS implementations before enforcing them.
To configure NGINX with a report-only HSTS policy, add the following configuration:
nginx
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; reportOnly";
By implementing these 11 essential NGINX security configurations for web applications, you can significantly enhance the security and integrity of your online presence.
About the Author
