1. Hide details about Nginx
By-default the Nginx version is shown in the response headers as shown below.
Having such information will facilitate a hacker in an attempt at attacking the web server.
[linuxuser@centos7-nginx ~]$ curl -I http://35.225.245.112 HTTP/1.1 200 OK Server: nginx/1.12.2 Date: Wed, 23 May 2018 19:14:48 GMT Content-Type: text/html Content-Length: 3700 Last-Modified: Tue, 06 Mar 2018 09:26:21 GMT Connection: keep-alive ETag: "5a9e5ebd-e74" Accept-Ranges: bytes
Disable the information leakage by adding the line below in http
section in nginx config file /etc/nginx/nginx.conf
http { server_tokens off;
Save the file and reload nginx
$ sudo systemctl reload nginx
Confirm that the nginx version details are no longer shown.
[linuxuser@centos7-nginx ~]$ curl -I http://35.225.245.112 HTTP/1.1 200 OK Server: nginx Date: Wed, 23 May 2018 19:17:53 GMT Content-Type: text/html Content-Length: 3700 Last-Modified: Tue, 06 Mar 2018 09:26:21 GMT Connection: keep-alive ETag: "5a9e5ebd-e74" Accept-Ranges: bytes
2. Enable X-XSS Protection
X-XSS protects the web server against cross-site scripting attacks. Add the line add_header X-XSS-Protection "1; mode=block";
in http section in nginx config file X-XSS-Protection "1; mode=block";
http { server_tokens off; add_header X-XSS-Protection "1; mode=block";
3. Disable Undesirable HTTP methods
The desirable HTTP methods include POST, HEAD, GET while the undesirable ones are DELETE or TRACE. These are quite risky as they give provision of stealing cookie information through cross-site tacking attacks.
To disable this add the line below in server
section in nginx config file /etc/nginx/nginx.conf
if ($request_method !~ ^(GET|HEAD|POST)$ ) { return 405; }
Save the file and reload nginx service
4. Prevent clickjacking attacks
Clickjacking attack entails hacker placing a hidden link below legitimate button on site and the user unknowingly clicks on the attacker’s link causing malice. In most cases, this is done using iframes. Hence in nginx, it’s recommended to insert X-FRAME-OPTIONS “SAMEORIGIN” in the header to limit the browser to load resources only from the same origin.
Add the line add_header X-Frame-Options "SAMEORIGIN";
in the http
section in nginx config file /etc/nginx/nginx.conf
Save the file and reload nginx service
5. Always keep nginx up to date
The nginx updates will always ensure that any security vulnerabilities in previous versions or releases have been resolved. Just run the command below:
$ sudo yum update nginx
Special note: HostAdvice’s hosting reviews allow you to consult with thousands of users before purchasing a hosting plan. If you are looking to purchase a CentOS VPS plan, consult the VPS hosting reviews or Linux Hosting reviews.
Check out the top 3 Dedicated server hosting services:
- Get answer to all of your queries about best VPS hosting by clicking here.