Core HTTP security headers at the reverse proxy layer

2513 views

                  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "DENY" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;

I like setting baseline browser hardening headers at the proxy so every app behind it benefits. HSTS, clickjacking protection, MIME sniffing prevention, and sane referrer policy are cheap wins. The only caveat is making sure the settings match real deployment behavior before forcing them everywhere.

Kai Nakamura

More from Kai Nakamura

Core HTTP security headers at the reverse proxy layer

0 Comments

More from Kai Nakamura