ngx_security_headers
ngx_security_headers copied to clipboard
GetPageSpeed
NGINX Module for sending security headers
Currently, [Mozilla](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection) and [Google](https://chromestatus.com/feature/5021976655560704) do not recommend setting X-XSS-Protection to enabled state due to the fact that the XSS auditor can even create new XSS vulnerabilities in otherwise secure websites....
Set to 31536000 as recommended by OWASP, Qualys and others. https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html https://blog.qualys.com/vulnerabilities-threat-research/2016/03/28/the-importance-of-a-proper-http-strict-transport-security-implementation-on-your-web-server
Implement new upcoming HTTP Cross-Origin headers. Sources: * https://owasp.org/www-project-secure-headers/ * https://scotthelme.co.uk/coop-and-coep/
I'm using a Windows server with nginx and I want to use this to hide nginx in header. It appears I need to compile nginx with this module which seems...
Allow specifying CSP header using "free-form" string. There is no one-suits everyone value. The module should support setting it anyway, as this will eliminate having to have header-more module completely,...
While in-development, all hidden headers are good to be shown, e.g. #3 would hide caching headers, which need to be seen. Need a method to bypass hiding based on IP/cookie/etc.
Cachability that is exposed via HTTP headers, is a security risk. URLs which are found to be uncacheable all the time through those headers pose a threat of denial of...
E.g. `Age` (exposing cacheability) or `Via` should be hidden. Add ability to show the headers by passing a special secret request var or header.
Just here to chime in and say that if you are using ModSecurity-nginx / ModSecurity (v3), there is a conflict and you'd see errors like this in nginx error log....
