Configuring Nginx server with security in mind, on the CRYSTAL v1.0 project

This instruction assumes that you already have installed SSL certificate.

1. Create a directory - 'nginxconf', which will contain security rules - 'security.conf'.

Enter the command:

mkdir /etc/nginx/nginxconf

Then:

nano /etc/nginx/nginxconf/security.conf

Add the following code to the window that opens: below:

server_tokens off;
 add_header X-XSS-Protection "1; mode=block" always;
 add_header X-Content-Type-Options "nosniff" always;
 add_header Referrer-Policy "no-referrer-when-downgrade" always;
 add_header Permissions-Policy "interest-cohort=()" always;
 add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
 add_header X-Frame-Options "DENY";
 add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' blob: https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/; frame-ancestors 'self' https://www.google.com/ https://www.gstatic.com/; img-src 'self' data: blob:; style-src 'self'; script-src 'self' blob: https://www.google.com/ https://www.gstatic.com/;" always;

After adding the code, press 'ctrl + x', 'y', 'Enter' in sequence.

2. Connection - 'security.conf', to the server.

Enter the code:

nano /etc/nginx/sites-available/crystal

Add the code below in the window that opens, after the second line from the top - 'server_name YourDomain www.YourDomain;':

# security
include /etc/nginx/nginxconf/security.conf;
# /security

Example:

server {
server_name crysty.ru www.crysty.ru;
# security
include /etc/nginx/nginxconf/security.conf;
# /security
location /
{
	root /var/www/crystal/frontend/dist;
	try_files $uri $uri /index.html;
}.....

After adding the code, press sequentially - 'ctrl + x', 'y', 'Enter'.

Then restart nginx, with the command:

systemctl restart nginx

To protect the site from bots, you can install - reCAPTCHA v3, which will work when registering a new user, for this use the following instructions.