Did you check the security of HTTP headers of your website? Easy by modifying your server directives on Nginx with the help of securityheaders.io by Scott Helme . The example below applies to 123run.com
HTTP Strict Transport Security (HSTS) header
HTTP Strict Transport Security ( HSTS ) is a proposed security policy mechanism for HTTP, allowing a web server to declare to a compatible user agent (such as a web browser) that it must interact with it using a secure connection (such as HTTPS). The policy is therefore communicated to the user agent by the server via the HTTP response, in the header field named “Strict-Transport-Security”. This policy specifies a period of time during which the user agent must access the server only in a secure manner.
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains" always;
Cross-Site Scripting (XSS) header
Cross-site scripting (or XSS ) is a type of security vulnerability on websites that allows users to inject content into a page, thus causing actions on web browsers visiting the page.
add_header X-Xss-Protection "1; mode=block" always;
X-Frame-Options “SAMEORIGIN” header
Protection against clickjacking .
add_header X-Frame-Options "SAMEORIGIN" always;
This is a security feature that makes it easy to prevent attacks based on MIME confusion. For example, if CSS is expected.
add_header X-Content-Type-Options "nosniff" always;
Referrer-Policy is not only for there to delete the reference value but to give you control of the reference value.
add_header Referrer-Policy "no-referrer-when-downgrade";
Referrer-Policy header values :
- No-referrer — No referrer information is sent.
- No-referrer-when-downgrade — This is the default behavior if no policy is specified. It always passes the full path and will pass a value from HTTPS→HTTPS but not HTTPS→HTTP.
- Origin — Sends the domain but not the full path.
- Origin-when-cross-origin — Sends the full path when on the same domain, but only the domain when passing to another website.
- Same-origin — Sends the full path if it’s the same domain, but strips the value if going to another website.
- Strict-origin — Sends the domain for HTTPS→HTTPS and HTTP→HTTP, but not HTTPS→HTTP.
- Strict-origin-when-cross-origin — Sends the full path if on the same domain and from one secure page to another, sends the domain if going from HTTPS on one domain to another domain, and doesn’t pass if going from a secure domain to an insecure domain.
- Unsafe-url — Sends the full path.
Content Security Policy (CSP) header
add_header Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://apis.google.com www.google-analytics.com *.googlesyndication.com *.doubleclick.net *.cloudflare.com *.bootstrapcdn.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com *.bootstrapcdn.com; img-src 'self' data: www.google.com www.google.fr www.google-analytics.com *.cloudflare.com *.doubleclick.net; font-src 'self' https://fonts.googleapis.com https://fonts.gstatic.com *.bootstrapcdn.com; connect-src 'self'; frame-src 'self' 'unsafe-inline' *.doubleclick.net; frame-ancestors 'none'; form-action 'none'; upgrade-insecure-requests; block-all-mixed-content; reflected-xss block; base-uri 123run.com www.123run.com; referrer no-referrer-when-downgrade";
HTTP Public Key Pinning (HPKP) header
The Public Key Extension for HTTP (HPKP) is a security feature that tells a Web client to associate a specific cryptographic public key to a certain Web server to reduce the risk of MITM attacks with forged certificates. Example, for an example.com site:
Public-Key-Pins: pin-sha256="cUPcTAZWKaASuYWhhneDttWpY3oBAkE3h2+soZS7sWs="; pin-sha256="M8HztCzM3elUxkcjR2S5P4hhyBNf6lHkmjAHKhpGPWE="; max-age=5184000; includeSubDomains; report-uri="https://www.example.com/hpkp-report"
Source photo: James Sutton