Securing NGINX - Debian/Ubuntu

Step 3g - Content Security Policies - Highly Highly Recommended!!

Create/Enable Content Security Policies (CSP)

Content security policies are enacted by most of the larger content providers to minimize the amount of reloading of information. When if fact, it really is a great security measure to ensure that only our site is providing clients with content from our own sources and not someone else injecting code, malware and a vast array of other possibilities to perform against a site/server/client. It should be noted that less than one percent (1%) of the Internet has such policies and makes it easy to put my own source code in the middle of a communication stream. It is not mandatory since there are situations in which you do not wish to use CSP's at the server level. Unless you are an admin that understands those methods and implementations, use this procedure until you move the CSP to another area.

Scott Helme developed some nifty tools to help you generate a policy, analyses your policy or generate a hash of JS or CSS for your CSP

Change the HTTPS Web site config file <--Add the sections in blue to the file

nano /etc/nginx/conf.d/EXAMPLE_com_ssl.conf

server {
..............................
        etag off;
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block; report=<uri>";
        proxy_cookie_path / "/; HTTPOnly:Secure";
        add_header Referrer-Policy no-referrer-when-downgrade;
        add_header Feature-Policy "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'";
        add_header NEL "{\"Report-To\":\"default\",\"max_age\":31536000,\"include_subdomains\":true}";
        add_header X-Frame-Options DENY;
        add_header Cache-Control "public, max-age=31536000";
        add_header MyHeader "Feel safe zombiesecured headers in use!!! It took %D microseconds for Zombiesecured to serve this request on %t";
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
        add_header Expect-CT enforce, max-age=30, report-uri="url";
        add_header Content-Security-Policy "Policy"; <--- Put your policy parameters between the quotes - remove any redundancies
}

Close and exit the file

ctrl + o   (Save)
ctrl + x   (Exit)

Restart NGINX

systemctl restart nginx

Zombie Secured Headers in use:

Header always set Content-Security-Policy: "script-src 'self' https://cdnjs.cloudflare.com https://stackpath.bootstrapcdn.com https://code.jquery.com; style-src 'self' https://stackpath.bootstrapcdn.com https://use.fontawesome.com; img-src 'self'; font-src 'self' https://use.fontawesome.com; connect-src 'self' https://www.sitemaps.org https://www.w3.org https://www.google.com https://zombiesecured.report-uri.com; media-src 'self'; object-src 'self'; frame-ancestors 'none'; form-action 'self'";

Zombie Content Security Policy Test Results

Zombie Content Policy

Test Results as of June 20th 2019