security headers

nhybgtvfr

please add somewhere where customers can add and edit security headers easily.

eg:
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; ";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header Content-Security-Policy "default-src 'self'";
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy "origin";

and some, eg HSTS should probably be automatically added when ssl is enabled.
customers need to be able to change these settings according to the content of their site.
i don't want to have to keep manually going to the overrides and editing the vhost config for them.

and not everyone is using apache / ols, so can't tell them to just put it in .htaccess

enhance_dan

I'd also like to request the ability to easily add security headers for Nginx.

I was looking to add just a few globally. I was able to create a custom .conf file in /etc/nginx/conf.d/ and add the below to it:

# Global security headers

add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;

I feel those headers are pretty safe to add globally, but the above only works for HTML sites. It doesn't work on PHP sites.

Preferably though, customers should be able to set all the relevant security headers themselves on servers running Nginx. As nhybgtvfr said, not everyone is using Apache / OLS, some of us like Nginx. 😃

DracoBlue

Is open Feature Request
https://community.enhance.com/d/1040-ssl-certificate-more-options

rdbf

You have to add them in the php location section of the website vhosts as well if you want them to show up for wordpress/php sites. They will work and show up then.

enhance_dan not everyone is using Apache / OLS, some of us like Nginx.

More like, most people use Nginx, except on Enhance, which might be because of the basic implementation compared to the other webservers: https://community.enhance.com/d/2873-nginx-http3-and-brotlizstd/8

enhance_dan

rdbf You have to add them in the php location section of the website vhosts as well if you want them to show up for wordpress/php sites. They will work and show up then.

Thanks for the reply.

~~Are you talking about in /etc/nginx/sites-enabled/****.conf, or in the /etc/nginx/vhost_includes/****.conf file?~~ Seems you are talking about in the respective /etc/nginx/sites-enabled/****.conf file...

I tried multiple ways to get it working without touching the /etc/nginx/sites-enabled/****.conf file because I read those can apparently get overwritten at some point and I don't want to have to monitor them all the time. Unfortunately everything I've tried so far hasn't been successful.

If you know of a way I could get those security headers added from the /etc/nginx/vhost_includes/****.conf file that would be awesome.

rdbf More like, most people use Nginx, except on Enhance, which might be because of the basic implementation compared to the other webservers: https://community.enhance.com/d/2873-nginx-http3-and-brotlizstd/8

Yeah I'm kind of discovering that Ngnix is a bit hard to work with here, but I really don't want to switch over to Apache, and I'm not up for trying OLS yet.

I saw your link here though https://github.com/rdbf/nginxtune-enhance and I'm interested in trying it out.

rdbf

enhance_dan I tried multiple ways to get it working without touching the /etc/nginx/sites-enabled/****.conf file because I read those can apparently get overwritten at some point and I don't want to have to monitor them all the time. Unfortunately everything I've tried so far hasn't been successful.

Since you can't have duplicate location sections, it has to be in that section. These sites-enabled .conf files indeed get overwritten, they are generated by the Enhance software each time something relevant changes. So having a script that monitors and adjust the file is a way of adding the functionality.

If you don't change anything on the server/website config and just want it to work, you could edit the nginx.conf file to not include these sites-enabled/*.conf files and copy the files to a directory of your choosing, which you then include, and modify the files any way you want, but that will become quite hacky....

enhance_dan

rdbf Thanks again for the reply.

Yeah I'm trying to not do too many "hacky" things just for ease of maintaining everything down the road.

It seems to me then that there really isn't a good/easy way for customers to add security headers for their website on the Nginx web server here. That's a shame. 🙁

nhybgtvfr

ispconfig manages it..

they have a section for adding nginx directives into the vhost config.

you can add code like:
location @php {##merge## fastcgi_read_timeout 300; }

not sure how it actually gets handled in the code, but the added directives get merged into that location in the sites vhost config instead of adding a duplicate instance of that location section...
might be worth taking a look at how they've done it.