My goal was to get a perfect score on Mozilla Observatory.
Security Headers in nginx website config file:
# Security headers add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"; add_header X-Frame-Options DENY; add_header X-XSS-Protection "1; mode=block"; add_header X-Content-Type-Options nosniff; add_header Access-Control-Allow-Origin 'https://5am.is'; add_header Referrer-Policy no-referrer; add_header Content-Security-Policy "default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self'; font-src 'none'; connect-src 'none'; media-src 'self'; object-src 'none'; child-src 'none'; frame-src 'none'; worker-src 'none'; frame-ancestors 'none'; form-action 'none'; upgrade-insecure-requests; block-all-mixed-content; sandbox allow-scripts; base-uri https://5am.is;"; add_header Permissions-Policy "geolocation=(), midi=(), notifications=(), push=(), sync-xhr=(), microphone=(), camera=(), magnetometer=(), gyroscope=(), speaker=(), vibrate=(), fullscreen=(), payment=(), interest-cohort=()";
What is Strict-Transport-Security?
“Strict-Transport-Security” (STS) is a security feature that enforces HTTPS on a website. When a user visits a website with STS, their browser remembers to always use HTTPS and automatically redirects any HTTP requests to HTTPS, preventing downgrade attacks.
The STS header sets a duration for this policy, typically one year. Once set, users cannot access the site via HTTP until the policy expires or is removed. Website owners must ensure proper HTTPS configuration before implementing STS.
What is X-Frame-Options?
“X-Frame-Options” is a security feature that prevents a website from being displayed within an iframe on another site. The header can have three values: “DENY”, “SAMEORIGIN”, and “ALLOW-FROM uri”. It protects against clickjacking attacks by hiding links or buttons within an iframe on another site.
What is X-XSS-Protection?
“X-XSS-Protection” is a security feature that helps to prevent cross-site scripting (XSS) attacks on a website. When a browser detects a potential XSS attack, it can either block the malicious script or sanitize the page to remove the offending script.
The “X-XSS-Protection” header instructs the browser to enable its XSS filter, which can provide an additional layer of protection against these attacks. The header has one value, “1”, which enables the filter, and it is recommended to use it for better security.
What is X-Content-Type-Options?
“X-Content-Type-Options” is a security feature that helps to prevent MIME type sniffing attacks on a website. When a browser receives a response from a server, it may attempt to guess the MIME type of the content if it is not specified in the “Content-Type” header. This can lead to attacks where an attacker can inject malicious code by sending a different MIME type.
The “X-Content-Type-Options” header instructs the browser not to guess the MIME type and to use only the one specified in the “Content-Type” header. The header has one value, “nosniff”, which is recommended to use for better security.
What is Access-Control-Allow-Origin?
“Access-Control-Allow-Origin” is a security feature that controls which websites can access a resource from a different origin or domain. When a website requests a resource from a different domain, the server hosting the resource can use this header to specify which domains are allowed to access it.
The header has one value, which is either a wildcard “*” to allow any domain to access the resource, or a specific domain name to allow only that domain to access the resource. This header helps to prevent cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks by restricting which domains can access sensitive resources.
What is Referrer-Policy?
“Referrer-Policy” is a security feature that controls how much information is sent in the “Referer” header when a user clicks on a link or visits a website. The “Referer” header contains the URL of the page that the user came from, and it can potentially leak sensitive information such as search queries or personal data.
The “Referrer-Policy” header instructs the browser to either send the full URL, the URL without the path, only the origin, or no referrer information at all. The header has several values, including “no-referrer”, “no-referrer-when-downgrade”, “origin”, “origin-when-cross-origin”, and “same-origin”, among others. The header helps to protect user privacy and prevent sensitive information from being leaked to third-party websites.
What is Content-Security-Policy?
“Content-Security-Policy” (CSP) is a security feature that helps to prevent cross-site scripting (XSS), clickjacking, and other code injection attacks on a website. The header allows the server to specify which resources the browser can load or execute, such as scripts, stylesheets, images, and frames. By specifying which resources are allowed and disallowed, the header can prevent malicious scripts or content from being loaded on a website.
The header has many different values, including “default-src”, “script-src”, “style-src”, “img-src”, “frame-src”, “connect-src”, and others, which can be used to set the allowed sources for each type of resource. The header is a powerful security feature, but it requires careful configuration to avoid breaking the functionality of the website.
What is Permissions-Policy?
“Permissions-Policy” is a security feature that controls which browser features and APIs a website can use, and how they can be used. The header allows the server to specify a list of permissions that are granted or denied to the website. For example, the header can be used to control access to features like the microphone, camera, geolocation, and payment methods.
The header has several values, including “geolocation”, “camera”, “microphone”, “fullscreen”, “payment”, and others, which can be used to set the allowed or denied permissions for each feature. The header helps to prevent malicious websites from accessing sensitive user data or performing unwanted actions, and it can also help to improve performance and security by limiting the scope of a website’s capabilities.#100DaysToOffload (19/100)