Configuring Nginx server with security in mind, on the CRYSTAL v1.0 project
28.02.2025
Contents:
This instruction assumes that you already have installed SSL certificate.
1. Description of security rules.
server_tokens off;
- Disables display of the Nginx version in response headers. This prevents information leaks about the server, making it more difficult for potential attackers.
add_header X-XSS-Protection "1; mode=block" always;
- Enables protection against XSS attacks (built into browsers). If an attempt is made to inject malicious JavaScript, the browser blocks execution of the page.
add_header X-Content-Type-Options "nosniff" always;
- Prevents the browser from "guessing" the content type if the Content-Type header is missing or incorrect. This helps prevent MIME attacks.
add_header Referrer-Policy "no-referrer-when-downgrade" always;
- Controls what data is sent in the Referer header. In this case, the referrer is only sent when switching from HTTPS to HTTPS, but not from HTTPS to HTTP.
add_header Permissions-Policy "interest-cohort=()" always;
- Disables FLoC (Federated Learning of Cohorts), a controversial Google ad targeting technology. Protects user privacy.
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
- Forces the browser to use HTTPS for all subsequent connections for 1 year. Also includes subdomains.
add_header X-Frame-Options "DENY";
- Prevents the site from loading inside frames/iframes, preventing clickjacking attacks.
add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' blob: https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/; frame-ancestors 'self' https://www.google.com/ https://www.gstatic.com/; img-src 'self' data: blob:; style-src 'self'; script-src 'self' blob: https://www.google.com/ https://www.gstatic.com/;" always;
- Allows loading of resources only from the current domain ('self'), Google ReCAPTCHA and blob: URLs.
- Blocks loading of external scripts and styles (if they are not explicitly specified).
- Forbids loading of the site in a frame from another domain, except google.com.
- Allows images only from self, data: and blob:.
- CSP helps prevent XSS, loading of malicious resources and iframe attacks.
2. Create a directory - 'nginxconf', which will contain security rules - 'security.conf'.
Enter the command:
mkdir /etc/nginx/nginxconf
Then:
nano /etc/nginx/nginxconf/security.conf
Add the following code to the window that opens: below:
server_tokens off;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Permissions-Policy "interest-cohort=()" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "DENY";
add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' blob: https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/; frame-ancestors 'self' https://www.google.com/ https://www.gstatic.com/; img-src 'self' data: blob:; style-src 'self'; script-src 'self' blob: https://www.google.com/ https://www.gstatic.com/;" always;
After adding the code, press 'ctrl + x', 'y', 'Enter' in sequence.
3. Connection - 'security.conf', to the server.
Enter the code:
nano /etc/nginx/sites-available/crystal
Add the code below in the window that opens, after the second line from the top - 'server_name YourDomain www.YourDomain;':
# security
include /etc/nginx/nginxconf/security.conf;
# /security
Example:
server {
server_name crysty.ru www.crysty.ru;
# security
include /etc/nginx/nginxconf/security.conf;
# /security
location /
{
root /var/www/crystal/frontend/dist;
try_files $uri $uri /index.html;
}.....
After adding the code, press sequentially - 'ctrl + x', 'y', 'Enter'.
Then restart nginx, with the command:
systemctl restart nginx
To protect the site from bots, you can install - reCAPTCHA v3, which will work when registering a new user, for this use the following instructions.
Share
BTC (Network BTC) - 1C2EWWeEXVhg93hJA9KovpkSd3Rn3BkcYm
Ethereum (Network ERC20) - 0x05037ecbd8bcd15631d780c95c3799861182e6b8
Comment on