I have been testing the security headers (https://securityheaders.com) of my nginx setup and wanted to check peoples opinion with nginx suffix location blocks.
Currently, I get 'A+' for http(s)://my.site however, 'B' when testing a suffix location ie https://my.site/location1
The warnings are for missing:-
- Content-Security-Policy
- Referrer-Policy
- Feature-Policy
My server block which receives 'A+' consists of:-
add_header 'Referrer-Policy' 'no-referrer';
add_header Strict-Transport-Security "max-age=15552000; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Feature-Policy "geolocation none;midi none;notifications none;push none;sync-xhr none;microphone none;camera none;magnetometer none;gyroscope none;;speaker self;vibrate none;fullscreen self;payment none;";
add_header Content-Security-Policy "frame-ancestors my.site;";
an example location block that receives 'B' consists of:-
location /location1 {
proxy_pass http://192.168.1.1;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect off;
proxy_buffering off;
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/.htpasswd;
error_log /var/log/nginx/blah.error.log;
I have played around with adding the CSP within the location block, however if ths is the way - I must be getting the syntax wrong.
Are the security headers intended to cascade into location blocks? Or is the result of the scan expected? Or am I just noobing...
Cheers, Jonny
