Ru

Configuring Nginx server with security in mind, on the CRYSTAL v1.0 project

28.02.2025


This instruction assumes that you already have installed SSL certificate.


1. Description of security rules.


server_tokens off;
- Disables display of the Nginx version in response headers. This prevents information leaks about the server, making it more difficult for potential attackers.


add_header X-XSS-Protection "1; mode=block" always;
- Enables protection against XSS attacks (built into browsers). If an attempt is made to inject malicious JavaScript, the browser blocks execution of the page.


add_header X-Content-Type-Options "nosniff" always;
- Prevents the browser from "guessing" the content type if the Content-Type header is missing or incorrect. This helps prevent MIME attacks.


add_header Referrer-Policy "no-referrer-when-downgrade" always;
- Controls what data is sent in the Referer header. In this case, the referrer is only sent when switching from HTTPS to HTTPS, but not from HTTPS to HTTP.


add_header Permissions-Policy "interest-cohort=()" always;
- Disables FLoC (Federated Learning of Cohorts), a controversial Google ad targeting technology. Protects user privacy.


add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
- Forces the browser to use HTTPS for all subsequent connections for 1 year. Also includes subdomains.


add_header X-Frame-Options "DENY";
- Prevents the site from loading inside frames/iframes, preventing clickjacking attacks.


add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' blob: https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/; frame-ancestors 'self' https://www.google.com/ https://www.gstatic.com/; img-src 'self' data: blob:; style-src 'self'; script-src 'self' blob: https://www.google.com/ https://www.gstatic.com/;" always;

- Allows loading of resources only from the current domain ('self'), Google ReCAPTCHA and blob: URLs.

- Blocks loading of external scripts and styles (if they are not explicitly specified).

- Forbids loading of the site in a frame from another domain, except google.com.

- Allows images only from self, data: and blob:.

- CSP helps prevent XSS, loading of malicious resources and iframe attacks.


2. Create a directory - 'nginxconf', which will contain security rules - 'security.conf'.


Enter the command:

mkdir /etc/nginx/nginxconf

Then:

nano /etc/nginx/nginxconf/security.conf

Add the following code to the window that opens: below:

server_tokens off;
 add_header X-XSS-Protection "1; mode=block" always;
 add_header X-Content-Type-Options "nosniff" always;
 add_header Referrer-Policy "no-referrer-when-downgrade" always;
 add_header Permissions-Policy "interest-cohort=()" always;
 add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
 add_header X-Frame-Options "DENY";
 add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' blob: https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/; frame-ancestors 'self' https://www.google.com/ https://www.gstatic.com/; img-src 'self' data: blob:; style-src 'self'; script-src 'self' blob: https://www.google.com/ https://www.gstatic.com/;" always;

After adding the code, press 'ctrl + x', 'y', 'Enter' in sequence.


3. Connection - 'security.conf', to the server.


Enter the code:

nano /etc/nginx/sites-available/crystal

Add the code below in the window that opens, after the second line from the top - 'server_name YourDomain www.YourDomain;':

# security
include /etc/nginx/nginxconf/security.conf;
# /security

Example:

server {
server_name crysty.ru www.crysty.ru;
# security
include /etc/nginx/nginxconf/security.conf;
# /security
location /
{
	root /var/www/crystal/frontend/dist;
	try_files $uri $uri /index.html;
}.....

After adding the code, press sequentially - 'ctrl + x', 'y', 'Enter'.


Then restart nginx, with the command:

systemctl restart nginx

To protect the site from bots, you can install - reCAPTCHA v3, which will work when registering a new user, for this use the following instructions.

The project is being tested in

BrowserStack

Share

Copy

BTC (Network BTC) - 1C2EWWeEXVhg93hJA9KovpkSd3Rn3BkcYm

Ethereum (Network ERC20) - 0x05037ecbd8bcd15631d780c95c3799861182e6b8

Similar posts

This website uses cookies. By clicking the 'Accept' button or continuing to use the website, you agree to the use of cookies.