NGINX Security Hardening

 After setting up an NGINX webserver with a GoDaddy-issued SSL certificate, I did an SSL test and saw that I was graded a C.

That’s average! I want a secure site.

So I looked around at a couple of things, and decided to put together a small list of things you can add to your NGINX configuration/server block for enhancing security.

  • I’m going to assume you’re already using an SSL certificate. If you aren’t, start there, and THEN look into how you can improve security 😉

 

1. Redirect all HTTP traffic to HTTPS

You should be doing this if you have an SSL certificate unless you really have a reason to use HTTP for some things and HTTPS for others… ?

Add this block before or after your current configuration. or otherwise modify your configuration for port 80 to match:

2. Hide NGINX version

Sometimes software has vulnerabilities and if you don’t update often , you can become victim. To avoid letting people see which version you are running (such as a known vulnerable release), add this to your config:

3. Protect from Clickjacking

Protection from clickjacking (http://en.wikipedia.org/wiki/Clickjacking) is possible by not allowing your pages to be embedded in an HTML frames.

There are three settings for X-Frame-Options:

  1. SAMEORIGIN: This setting will allow the page to be displayed in a frame on the same origin as the page itself.
  2. DENY: This setting will prevent a page displaying in a frame or iframe.
  3. ALLOW-FROM URI: This setting will allow a page to be displayed only on the specified origin.

4. Disable mime content-type sniffing

This will reject any user-supplied mime types that may enable malicious code to be executed on the server to gain some sort of unauthorized access.

5. (re) Enable the Cross-site scripting filter

Enable the cross-site scripting filter for your site, should the user’s browser have it disabled for some reason.

6. Generate a strong DH Group (Diffie-Hellman)

There are a few commonly used + insecure DH groups by default and you should generate a stronger, unique 2048-bit group instead.

You must also define the location of the generated group in your server block.

7. Disable GZIP

You can protect your server from an HTTPS BREACH attack by disabling the handling of GZIP alltogether. Unless your server needs to use GZIP, go ahead and disable it.

8. Maintain SSL Sessions

If your viewer will be clicking around your site for more than one page, which we all hope, it’s best to maintain their session for a duration.

9. Enable HTST to avoid SSL stripping

HTST will forcefully use HTTPS

10. Set your cipher strength to something secure, yet compatible.

After implementing some more security on the server, I was able to pass with an A.

 

 

I hope you, too, can pass with an A or even an A+

Thank you for reading.

Leave a Reply