how to set security headers correctly?

Hi @esmertec,

NGINX uses an nginx.conf file which is usually located in the /etc/nginx/ folder or a specific site configuration file in the etc/nginx/sites-enabled/ folder. the NGINX add_header code should be placed inside the server { } block. See https://really-simple-ssl.com/security-headers-on-nginx/ for detailed instructions.

Hi @markwolters! The main nginx settings are on my server at /etc/nginx/nginx.conf, I added the server block to the http tag but the problem persists…
my nginx.conf:

http {
    server {
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header Content-Security-Policy upgrade-insecure-requests;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";
    add_header Expect-CT 'enforce; max-age=7776000';
    add_header X-Frame-Options "SAMEORIGIN";
    }

I am using debian 10, maybe I need to install some additional module? I have installed nginx-extras only.

Hi @esmertec,

strange, the headers should work when set in the server block. You might have to contact your hosting provider about this so they can check why it’s not working.

Hi @markwolters!
I am a hosting provider as the web server is running on my pc. I have a suspicion that the rules still work, because the warning in wordress says that the rules are missing in the file .htaccess. How do I check if the headers are doing the right thing?

Hi @esmertec,

could you check which server you are running? The .htaccess file is only used for Apache servers, if you use NGINX the headers should be added to your NGINX configuration. Alternatively, you can try to enable the ‘Set headers via PHP’ option to set the headers via PHP. This should work if you site does not use caching.

Hi @markwolters!
i use hestia cp, it runs apache2 – web server, nginx – reverse proxy server. In this control panel, there are a little strange rules, .htaccess does not accept header rules (the site crashes with a 500 error), so I had to add them to the configuration of apache2 itself. My site uses caching, so, unfortunately, the alternative method does not work…

And so I solved my problem with security headers, I remembered about this topic. saw the notification letter on my email))

when using your OWN host, with the HestiaCP site control panel, you need to do the following:
Nginx.conf SSL PCI compliance section delete completely, instead write the following:

# SSL PCI compliance
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/ssl/dhparam.pem;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM";
    ssl_ecdh_curve secp384r1;
    ssl_session_timeout  10m;
    ssl_buffer_size     1400;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    ssl_stapling_verify on;
    resolver DNS1 DNS2 valid=300s ipv6=off;
    resolver_timeout    5s;
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header Expect-CT "max-age=7776000, enforce";
    add_header Referrer-Policy "no-referrer-when-downgrade";
    add_header Content-Security-Policy "upgrade-insecure-requests";

Apache2.conf In the “Global configuration” section, add the line Include conf-enabled/security.conf, after which we open the security config (/etc/apache2/conf-enabled/security.conf) and add lines to the very end:

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM
# Requires Apache 2.4.36 & OpenSSL 1.1.1
SSLProtocol -all +TLSv1.3 +TLSv1.2
SSLOpenSSLConfCmd Curves X25519:secp521r1:secp384r1:prime256v1
# Older versions
# SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options: "SAMEORIGIN"
Header always set X-Content-Type-Options: "nosniff"
Header always set X-XSS-Protection "1; mode=block"
Header always set Expect-CT "max-age=7776000, enforce"
Header always set Referrer-Policy: "no-referrer-when-downgrade"
Header always set Content-Security-Policy "upgrade-insecure-requests"
# Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Requires Apache >= 2.4.11
SSLSessionTickets Off

ATTENTION, in order for the header settings in Apache to work, you will need to enable headers_mod if you have not already done this, to enable it in the console enter the command:
# a2enmod headers

Well, in the end, you need to make a change to the .htaccess file, although as far as I understand this was no longer necessary because changes were made at the server level, but still. Looking for a section <IfModule mod_headers.c> if it is not there, we add it ourselves, and specify in it the same parameters that were specified in the apache2 security configuration:

<IfModule mod_headers.c>
    Header set Referrer-Policy "no-referrer-when-downgrade"
    Header set Strict-Transport-Security "max-age=63072000"
    Header set X-Frame-Options “SAMEORIGIN”
    Header set X-Content-Type-Options "nosniff"
    Header set X-XSS-Protection "1; mode=block"
    Header set Expect-CT "max-age=7776000, enforce"
    Header set Content-Security-Policy "upgrade-insecure-requests"
</IfModule>

restart nginx and apache2 services, all headers will work fine!