Configuring Nginx server with security in mind, on the CRYSTAL v1.0 project

This instruction assumes that you already have installed SSL certificate.

1. Create a directory – ‘nginxconf’, which will contain security rules – ‘security.conf’.

Enter the command:

mkdir /etc/nginx/nginxconf

Then:

nano /etc/nginx/nginxconf/security.conf

Add the following code to the window that opens: below:

server_tokens off;
	 add_header X-XSS-Protection "1; mode=block" always;
	 add_header X-Content-Type-Options "nosniff" always;
	 add_header Referrer-Policy "no-referrer-when-downgrade" always;
	 add_header Permissions-Policy "interest-cohort=()" always;
	 add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
	 add_header X-Frame-Options "DENY";
	 add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' blob: https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/; frame-ancestors 'self' https://www.google.com/ https://www.gstatic.com/; img-src 'self' data: blob:; style-src 'self'; script-src 'self' blob: https://www.google.com/ https://www.gstatic.com/;" always;

After adding the code, press ‘ctrl + x’, ‘y’, ‘Enter’ in sequence.

2. Connection – ‘security.conf’, to the server.

Enter the code:

nano /etc/nginx/sites-available/crystal

Add the code below in the window that opens, after the second line from the top – ‘server_name YourDomain www.YourDomain;’:

# security
	include /etc/nginx/nginxconf/security.conf;
	# /security

Example:

server {
	server_name crysty.ru www.crysty.ru;
	# security
	include /etc/nginx/nginxconf/security.conf;
	# /security
	location /
	{
		root /var/www/crystal/frontend/dist;
		try_files $uri $uri /index.html;
	}.....

After adding the code, press sequentially – ‘ctrl + x’, ‘y’, ‘Enter’.

Then restart nginx, with the command:

systemctl restart nginx

To protect the site from bots, you can install – reCAPTCHA v3, which will work when registering a new user, for this use the following instructions.