API tools faq
paste
Advertisement
METAJIJI

Untitled

METAJIJI
Mar 9th, 2015
319
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Nginx 2.69 KB | None | 0 0
raw download clone embed print report
  1. # cat /etc/nginx/common_config/security.conf
  2. #read more here http://tautt.com/best-nginx-configuration-for-security/
  3.  
  4. #don't send the nginx version number in error pages and Server header
  5. server_tokens off;
  6.  
  7. # config to don't allow the browser to render the page inside an frame or iframe
  8. # and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
  9. # if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri
  10. # https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
  11. add_header X-Frame-Options SAMEORIGIN;
  12.  
  13. # when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
  14. # to disable content-type sniffing on some browsers.
  15. # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
  16. # currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
  17. # http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
  18. # 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
  19. add_header X-Content-Type-Options nosniff;
  20.  
  21. # This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
  22. # It's usually enabled by default anyway, so the role of this header is to re-enable the filter for
  23. # this particular website if it was disabled by the user.
  24. # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
  25. add_header X-XSS-Protection "1; mode=block";
  26.  
  27. # with Content Security Policy (CSP) enabled(and a browser that supports it(http://caniuse.com/#feat=contentsecuritypolicy),
  28. # you can tell the browser that it can only download content from the domains you explicitly allow
  29. # http://www.html5rocks.com/en/tutorials/security/content-security-policy/
  30. # https://www.owasp.org/index.php/Content_Security_Policy
  31. # I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval'
  32. # directives for css and js(if you have inline css or js, you will need to keep it too).
  33. # more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful
  34. #add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://assets.zendesk.com; font-src 'self' https://themes.googleusercontent.com; frame-src https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none'";
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!