Security Header Haproxy & Nginx
Ada sejumlah serangan seperti clickjacking yang menargetkan situs web dan penggunanya. Banyak dari mereka dapat dicegah hanya dengan meminta server web untuk mengirim header HTTP kepada klien.
Berikut beberapa Konfigurasi Security Header untuk Haproxy dan Nginx.
HAProxy :
backend example.com
http-response set-header Strict-Transport-Security “max age=63072000; includeSubdomains; preload”
http-response set-header X-Frame-Options “SAMEORIGIN”
http-response set-header X-Xss-Protection “1; mode=block”
http-response set-header X-Content-Type-Options “nosniff”
http-response set-header Referrer-Policy no-referrer-when-downgrade
http-response set-header Content-Security-Policy:script-src https://www.google-analytics.com
Restart HAProxy
Nginx :
Letakkan pada nginx.conf
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options “deny”;
add_header X-XSS-Protection “1; mode=block”;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Referrer-Policy: no-referrer-when-downgrade;
add_header Strict-Transport-Security ‘max-age=31536000; includeSubDomains; preload;’;
add_header Content-Security-Policy “default-src ‘self’; script-src https://securityheaders.com/’self’ ‘unsafe-inline’ ‘unsafe-eval’ https://ssl.google-analytics.com https://assets.zendesk.com object-src ‘none'”;
Restart Nginx
Setelah selesai, Cek dengan https://securityheaders.com/
Posted on: July 19, 2019, by : Julian's | 205 views