Allow us to be able to implement additional security headers.
I'd like to have the abiity to implement the following headers on NginX and Apache so I can convince my clients they can pass Header Security Test in conjunction with PCI/DSS. The following are recommendations.
NginX Headers
addheader X-Frame-Options "SAMEORIGIN" always;
addheader X-Xss-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
Apache Headers
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Xss-Protection "1; mode=block"
Header always set X-Content-Type-Options "nosniff"
Referrer-Policy: strict-origin-when-cross-origin
-
Anonymous commented
Add the possibility to add security headers in the dashboard
-
Anonymous commented
Below i am posting some configuration which is to affect the website performance alot.
This are the best NGINX Features needs to implemented.
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";/* Expire Headers */
location ~* \.(css|js|gif|jpeg|jpg|png|svg)$ {
expires 1M;
add_header Pragma public;
add_header Cache-Control public;
add_header Vary Accept-Encoding;
}