Security Header Haproxy & Nginx

Ada sejumlah serangan seperti clickjacking yang menargetkan situs web dan penggunanya. Banyak dari mereka dapat dicegah hanya dengan meminta server web untuk mengirim header HTTP kepada klien.

Berikut beberapa Konfigurasi Security Header untuk Haproxy dan Nginx.

HAProxy :

backend example.com
http-response set-header Strict-Transport-Security “max age=63072000; includeSubdomains; preload”
http-response set-header X-Frame-Options “SAMEORIGIN”
http-response set-header X-Xss-Protection “1; mode=block”
http-response set-header X-Content-Type-Options “nosniff”
http-response set-header Referrer-Policy no-referrer-when-downgrade
http-response set-header Content-Security-Policy:script-src https://www.google-analytics.com

Restart HAProxy

Nginx :

Letakkan pada nginx.conf

add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options “deny”;
add_header X-XSS-Protection “1; mode=block”;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Referrer-Policy: no-referrer-when-downgrade;
add_header Strict-Transport-Security ‘max-age=31536000; includeSubDomains; preload;’;
add_header Content-Security-Policy “default-src ‘self’; script-src https://securityheaders.com/’self’ ‘unsafe-inline’ ‘unsafe-eval’ https://ssl.google-analytics.com https://assets.zendesk.com object-src ‘none'”;

Restart Nginx

Setelah selesai, Cek dengan https://securityheaders.com/

Posted on: July 19, 2019, by :