Server Headers

Author | May 26, 2017 | How To | No Comments

Chrome Extension to test CSP without actually applying it to the website:
https://chrome.google.com/webstore/detail/caspr-enforcer/fekcdjkhlbjngkimekikebfegbijjafd?hl=en-US

https://www.gravityscan.com/

Example Header for nginx

#Header Security Additions
server_tokens off;
proxy_hide_header X-Powered-By;
add_header Referrer-Policy no-referrer-when-downgrade;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";

add_header Content-Security-Policy "default-src 'none'; script-src 'self' https://www.google-analytics.com/; style-src 'self' https://fonts.googleapis.com; img-src 'self' https://www.google-analytics.com; font-src 'self' https://fonts.googleapis.com https://fonts.gstatic.com; frame-src 'self'; frame-ancestors 'none'; form-action 'none'; upgrade-insecure-requests; block-all-mixed-content; reflected-xss block; base-uri $host www.$host; referrer no-referrer-when-downgrade";

#Header Security Additions

server_tokens off;

proxy_hide_header X-Powered-By;

add_header Referrer-Policy no-referrer-when-downgrade;

add_header X-Frame-Options SAMEORIGIN;

add_header X-Content-Type-Options nosniff;

add_header X-XSS-Protection "1; mode=block";

add_header Content-Security-Policy "default-src 'none'; script-src 'self' https://www.google-analytics.com/; style-src 'self' https://fonts.googleapis.com; img-src 'self' https://www.google-analytics.com; font-src 'self' https://fonts.googleapis.com https://fonts.gstatic.com; frame-src 'self'; frame-ancestors 'none'; form-action 'none'; upgrade-insecure-requests; block-all-mixed-content; reflected-xss block; base-uri $host www.$host; referrer no-referrer-when-downgrade";

Tags:CSP, Headers, Scanners

About The Author

Author

This site was created to host various server related settings and instructions that have been useful with some of my past projects. Maybe this stuff will be helpful to you too.

Related Posts

About The Author

Author