Tag: cybersecurity

  • 7 useful security headers for NGINX.

    7 useful security headers for NGINX.

    So! I saw amazing video on the YouTube, which explains beautifully something obscure about NGINX, and that is headers. I had quite problem to understand headers, as in NGINX lore, they are quite on background. You will learn how to set it as reverse proxy, and then you just stop thinking about it. Only after some time, you will understand that there is more to NGINX as a whole. I stumbled across this video, and I found it super helpful. So, you do not have to watch it (I recommend you should), I wrote down most important headers and you can just copy, paste them into your configuration. Video link is down bellow!

    server_tokens off;

    Hides the NGINX version from HTTP headers. This makes it harder for attackers to identify the exact NGINX version and search for version-specific vulnerabilities.

    Place this in `/etc/nginx/nginx.conf`, inside the `http` block.

    more_clear_headers Server;

    Completely removes the `Server` header from HTTP responses.

    Requires the headers-more module:

    apt install libnginx-mod-http-headers-more-filter

    Place this in the public-facing NGINX `server` block, usually in `/etc/nginx/sites-available/*.conf`.

    add_header Content-Security-Policy “default-src ‘self’;” always;

    Restricts the browser to loading content only from the same origin as the website, unless other CSP rules allow additional sources. This helps control where scripts, images, styles, and other resources can be loaded from.

    Place this on the public-facing NGINX reverse proxy, usually inside the website’s `server` block.

    add_header X-Frame-Options “DENY” always;

    Prevents the website from being loaded inside an iframe. This helps protect against clickjacking attacks.

    Place this in the public-facing NGINX `server` block, or globally in the `http` block if it should apply to all sites.

    add_header X-Content-Type-Options “nosniff” always;

    Stops browsers from guessing file types. This prevents files from being interpreted as something else, such as treating an uploaded image or CSS file as executable JavaScript. This helps reduce some XSS risks.

    Place this in the public-facing NGINX `server` block, or globally in the `http` block if it should apply to all sites.

    proxy_hide_header X-Runtime;

    Removes the `X-Runtime` header from backend responses. This hides backend request processing time from clients.

    Use this on the reverse proxy, inside the relevant `location` or `server` block.

    proxy_hide_header X-Powered-By;

    Removes the `X-Powered-By` header from backend responses. This avoids exposing backend technologies such as PHP, Express, ASP.NET, Laravel, or framework versions.

    Use this on the reverse proxy, inside the relevant `location` or `server` block.

    Original explanation on YouTube:

    This text I wrote based on amazing video by The Lazy SysAdmin

  • Internet battlefield?

    Internet battlefield?

    Welcome in new age of warfare.

    Yes. The internet is now a battlefield on more levels than many people realize. There are conflicts between nations, AI wars, bot wars, and information wars. The topic is large enough to fill an entire book. I will try to avoid politics as much as possible, although in some cases it is difficult to do so.

    So, what Internet Battlefield are we talking about today? Unfortunately, the more political one: conflict between nations. Whether people notice it or not, it is happening. Try spinning up a server, install rsyslog, and watch your auth.log. You will most likely see countless login attempts coming from different IP addresses. Many of them will originate from China, Iran, or Russia, although you should not be fooled into thinking they come only from those countries. You will also see activity from Europe and the United States. But who are these actors, and what are they trying to achieve?

    In 99.99% of cases, they are not people at all. They are automated bots. These systems continuously scan the internet for anything they can reach and attempt to gain access through what we call brute-force attacks. A brute-force attack is a method where an attacker repeatedly tries different passwords until one eventually works. The goal is simple: gain access.

    The reality is that countries such as Russia, Iran, China, and North Korea invest heavily in cyberwarfare, automated tools, and the training of skilled hackers. They are not amateurs. Many of these groups are highly capable and experienced.

    Microsoft Digital Defense Report 2025

    EU consistently targeted by diverse yet convergent threat groups

    How it shows up in our daily lives?

    During the COVID-19 pandemic, several Russian hacker groups targeted Western hospitals (links bellow), attempting to disrupt operations and create chaos. In many cases, they were not seeking money or publicity. Their goal was simply to cause damage while hospitals were already under tremendous pressure. Whether one agrees with every example or not, it illustrates how hostile parts of the internet have become.

    I have worked in IT for years, and one thing is clear: anything with a public IP address will eventually attract attention. What is even more interesting is that modern threats are no longer limited to directly exposed systems. If a service is reachable and vulnerable, attackers will find it. If they gain access, they will often steal data, deploy ransomware, or use the compromised system for further attacks.

    So yes, the internet is a battlefield, and sooner or later everyone becomes part of it. Every malware campaign and every scam website originates somewhere. Some hacker groups are ordinary criminals interested only in money, while others receive support from governments. The profits generated from cyber crime can fund further operations and keep these groups active.

    When you receive an email claiming that someone has compromising photos of you and demanding payment, sending money does not simply solve the problem. In many cases, it helps fund future criminal activity. The same principle applies in the corporate world. You may think, “If my company gets hacked, that’s not my problem.” In some situations, that attitude is understandable. Many companies do not invest enough in security until after a breach occurs. However, it should still matter to you.

    What can we do as pawns on this battlefield?

    Every data breach and every successful attack generates income for cyber criminals. That income allows them to continue operating and launching new attacks. Every secured device, every hardened server, and every prevented compromise reduces their chances of success.

    So what can we do? Anyone can learn basic cyber self-defense. Anyone can learn good security habits, and every IT professional can contribute by properly securing the systems they manage. A teenager can begin studying cybersecurity (I can recommend this one, it’s fun!) online and develop valuable skills. It not only helps you understand how the internet works and how threats operate, but it can also open the door to a rewarding and engaging career.

    Older people can learn these skills as well. In fact, many of the most important security practices can be learned in a single day of reading and practice. Strong passwords, multi-factor authentication, software updates, and basic awareness already go a long way.

    I will be posting guides and videos here about staying safe online. I will end this post with a famous saying:

    “Do not feed the trolls.”