After setting up an NGINX webserver with a GoDaddy-issued SSL certificate, I did an SSL test and saw that I was graded a C.

That’s average! I want a secure site.

So I looked around at a couple of things, and decided to put together a small list of things you can add to your NGINX configuration/server block for enhancing security.

  • I’m going to assume you’re already using an SSL certificate. If you aren’t, start there, and THEN look into how you can improve security 😉

 

1. Redirect all HTTP traffic to HTTPS

You should be doing this if you have an SSL certificate unless you really have a reason to use HTTP for some things and HTTPS for others… ?

Add this block before or after your current configuration. or otherwise modify your configuration for port 80 to match:

# redirect all http traffic to https
server {
  listen 80;
  server_name www.yourdomain.com;
  return 301 https://$host$request_uri;
}

2. Hide NGINX version

Sometimes software has vulnerabilities and if you don’t update often , you can become victim. To avoid letting people see which version you are running (such as a known vulnerable release), add this to your config:

# hide nginx version
server_tokens off;

3. Protect from Clickjacking

Protection from clickjacking (http://en.wikipedia.org/wiki/Clickjacking) is possible by not allowing your pages to be embedded in an HTML frames.

# config to don't allow the browser to render the page inside a frame or iframe
add_header X-Frame-Options SAMEORIGIN;

There are three settings for X-Frame-Options:

  1. SAMEORIGIN: This setting will allow the page to be displayed in a frame on the same origin as the page itself.
  2. DENY: This setting will prevent a page displaying in a frame or iframe.
  3. ALLOW-FROM URI: This setting will allow a page to be displayed only on the specified origin.

4. Disable mime content-type sniffing

This will reject any user-supplied mime types that may enable malicious code to be executed on the server to gain some sort of unauthorized access.

# to disable content-type sniffing on some browsers.
add_header X-Content-Type-Options nosniff;

5. (re) Enable the Cross-site scripting filter

Enable the cross-site scripting filter for your site, should the user’s browser have it disabled for some reason.

# Enables the Cross-site scripting (XSS) filter
add_header X-XSS-Protection "1; mode=block";

6. Generate a strong DH Group (Diffie-Hellman)

There are a few commonly used + insecure DH groups by default and you should generate a stronger, unique 2048-bit group instead.

openssl dhparam -out /path/to/output/dhparams.pem 2048

You must also define the location of the generated group in your server block.

  # Generated Diffie-Hellman group location
  ssl_dhparam /path/to/output/dhparam.pem;

7. Disable GZIP

You can protect your server from an HTTPS BREACH attack by disabling the handling of GZIP alltogether. Unless your server needs to use GZIP, go ahead and disable it.

gzip off;

8. Maintain SSL Sessions

If your viewer will be clicking around your site for more than one page, which we all hope, it’s best to maintain their session for a duration.

ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;

9. Enable HTST to avoid SSL stripping

HTST will forcefully use HTTPS

  add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";

10. Set your cipher strength to something secure, yet compatible.

  ssl_prefer_server_ciphers on;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

After implementing some more security on the server, I was able to pass with an A.

 

 

I hope you, too, can pass with an A or even an A+

Thank you for reading.


0 Comments

Leave a Reply