7 useful security headers for NGINX.

So! I saw amazing video on the YouTube, which explains beautifully something obscure about NGINX, and that is headers. I had quite problem to understand headers, as in NGINX lore, they are quite on background. You will learn how to set it as reverse proxy, and then you just stop thinking about it. Only after some time, you will understand that there is more to NGINX as a whole. I stumbled across this video, and I found it super helpful. So, you do not have to watch it (I recommend you should), I wrote down most important headers and you can just copy, paste them into your configuration. Video link is down bellow!

server_tokens off;

Hides the NGINX version from HTTP headers. This makes it harder for attackers to identify the exact NGINX version and search for version-specific vulnerabilities.

Place this in `/etc/nginx/nginx.conf`, inside the `http` block.

more_clear_headers Server;

Completely removes the `Server` header from HTTP responses.

Requires the headers-more module:

apt install libnginx-mod-http-headers-more-filter

Place this in the public-facing NGINX `server` block, usually in `/etc/nginx/sites-available/*.conf`.

add_header Content-Security-Policy "default-src 'self';" always;

Restricts the browser to loading content only from the same origin as the website, unless other CSP rules allow additional sources. This helps control where scripts, images, styles, and other resources can be loaded from.

Place this on the public-facing NGINX reverse proxy, usually inside the website's `server` block.

add_header X-Frame-Options "DENY" always;

Prevents the website from being loaded inside an iframe. This helps protect against clickjacking attacks.

Place this in the public-facing NGINX `server` block, or globally in the `http` block if it should apply to all sites.

add_header X-Content-Type-Options "nosniff" always;

Stops browsers from guessing file types. This prevents files from being interpreted as something else, such as treating an uploaded image or CSS file as executable JavaScript. This helps reduce some XSS risks.

Place this in the public-facing NGINX `server` block, or globally in the `http` block if it should apply to all sites.

proxy_hide_header X-Runtime;

Removes the `X-Runtime` header from backend responses. This hides backend request processing time from clients.

Use this on the reverse proxy, inside the relevant `location` or `server` block.

proxy_hide_header X-Powered-By;

Removes the `X-Powered-By` header from backend responses. This avoids exposing backend technologies such as PHP, Express, ASP.NET, Laravel, or framework versions.

Use this on the reverse proxy, inside the relevant `location` or `server` block.