Configuring Nginx server with security in mind, on the CRYSTAL v1.0 project

This instruction assumes that you already have installed SSL certificate.

1. Description of security rules.

server_tokens off;
- Disables display of the Nginx version in response headers. This prevents information leaks about the server, making it more difficult for potential attackers.

add_header X-XSS-Protection "1; mode=block" always;
- Enables protection against XSS attacks (built into browsers). If an attempt is made to inject malicious JavaScript, the browser blocks execution of the page.

add_header X-Content-Type-Options "nosniff" always;
- Prevents the browser from "guessing" the content type if the Content-Type header is missing or incorrect. This helps prevent MIME attacks.

add_header Referrer-Policy "no-referrer-when-downgrade" always;
- Controls what data is sent in the Referer header. In this case, the referrer is only sent when switching from HTTPS to HTTPS, but not from HTTPS to HTTP.

add_header Permissions-Policy "interest-cohort=()" always;
- Disables FLoC (Federated Learning of Cohorts), a controversial Google ad targeting technology. Protects user privacy.

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
- Forces the browser to use HTTPS for all subsequent connections for 1 year. Also includes subdomains.

add_header X-Frame-Options "DENY";
- Prevents the site from loading inside frames/iframes, preventing clickjacking attacks.

add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' blob: https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/; frame-ancestors 'self' https://www.google.com/ https://www.gstatic.com/; img-src 'self' data: blob:; style-src 'self'; script-src 'self' blob: https://www.google.com/ https://www.gstatic.com/;" always;

- Allows loading of resources only from the current domain ('self'), Google ReCAPTCHA and blob: URLs.

- Blocks loading of external scripts and styles (if they are not explicitly specified).

- Forbids loading of the site in a frame from another domain, except google.com.

- Allows images only from self, data: and blob:.

- CSP helps prevent XSS, loading of malicious resources and iframe attacks.

2. Create a directory - 'nginxconf', which will contain security rules - 'security.conf'.

Enter the command:

mkdir /etc/nginx/nginxconf

Then:

nano /etc/nginx/nginxconf/security.conf

Add the following code to the window that opens: below:

server_tokens off;
 add_header X-XSS-Protection "1; mode=block" always;
 add_header X-Content-Type-Options "nosniff" always;
 add_header Referrer-Policy "no-referrer-when-downgrade" always;
 add_header Permissions-Policy "interest-cohort=()" always;
 add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
 add_header X-Frame-Options "DENY";
 add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' blob: https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/; frame-ancestors 'self' https://www.google.com/ https://www.gstatic.com/; img-src 'self' data: blob:; style-src 'self'; script-src 'self' blob: https://www.google.com/ https://www.gstatic.com/;" always;

After adding the code, press 'ctrl + x', 'y', 'Enter' in sequence.

3. Connection - 'security.conf', to the server.

Enter the code:

nano /etc/nginx/sites-available/crystal

Add the code below in the window that opens, after the second line from the top - 'server_name YourDomain www.YourDomain;':

# security
include /etc/nginx/nginxconf/security.conf;
# /security

Example:

server {
server_name crysty.ru www.crysty.ru;
# security
include /etc/nginx/nginxconf/security.conf;
# /security
location /
{
	root /var/www/crystal/frontend/dist;
	try_files $uri $uri /index.html;
}.....

After adding the code, press sequentially - 'ctrl + x', 'y', 'Enter'.

Then restart nginx, with the command:

systemctl restart nginx

To protect the site from bots, you can install - reCAPTCHA v3, which will work when registering a new user, for this use the following instructions.