Scribd
Upload
379 views1 page

Nginx Hardening Checklist

Uploaded by

overdigo

This document provides recommendations for hardening an Nginx server configuration to achieve an A+ rating on SSL Labs security tests. It includes recommendations such as hiding the Nginx version number, using only strong ciphers, enforcing TLS 1.2, redirecting all traffic to HTTPS, implementing HTTP security headers, and disabling server features to reduce risks. The guidelines are meant to provide a very restrictive setup, so administrators should consider their specific server needs rather than just following the guides to get a perfect score.

Copyright:

© All Rights Reserved
Download as PDF, TXT or read online from Scribd
Download as pdf or txt

Nginx Hardening Checklist

Uploaded by

overdigo
379 views1 page
This document provides recommendations for hardening an Nginx server configuration to achieve an A+ rating on SSL Labs security tests. It includes recommendations such as hiding the Nginx version number, using only strong ciphers, enforcing TLS 1.2, redirecting all traffic to HTTPS, implementing HTTP security headers, and disabling server features to reduce risks. The guidelines are meant to provide a very restrictive setup, so administrators should consider their specific server needs rather than just following the guides to get a perfect score.

Original Description:

Nginx Hardening Checklist

Copyright

© © All Rights Reserved

Available Formats

PDF, TXT or read online from Scribd

Did you find this document useful?

Is this content inappropriate?

This document provides recommendations for hardening an Nginx server configuration to achieve an A+ rating on SSL Labs security tests. It includes recommendations such as hiding the Nginx version number, using only strong ciphers, enforcing TLS 1.2, redirecting all traffic to HTTPS, implementing HTTP security headers, and disabling server features to reduce risks. The guidelines are meant to provide a very restrictive setup, so administrators should consider their specific server needs rather than just following the guides to get a perfect score.

Copyright:

© All Rights Reserved
Download as PDF, TXT or read online from Scribd
Download as pdf or txt
379 views1 page

Nginx Hardening Checklist

Uploaded by

overdigo
This document provides recommendations for hardening an Nginx server configuration to achieve an A+ rating on SSL Labs security tests. It includes recommendations such as hiding the Nginx version number, using only strong ciphers, enforcing TLS 1.2, redirecting all traffic to HTTPS, implementing HTTP security headers, and disabling server features to reduce risks. The guidelines are meant to provide a very restrictive setup, so administrators should consider their specific server needs rather than just following the guides to get a perfect score.

Copyright:

© All Rights Reserved
Download as PDF, TXT or read online from Scribd
Download as pdf or txt
You are on page 1/ 1

v1.0.

2 trimstray

NGINX HARDENING CHECKLIST


HOWTO: A+ with all 100%’s on SSL Labs

Hide Nginx version number Hide Nginx server signature


server_tokens off; more_set_headers "Server: Unknown";

Use only 4096-bit private keys Keep only TLS 1.2 (+ TLS 1.3)
# openssl genrsa -out domain.com.key 4096 ssl_protocols TLSv1.2;
# certbot certonly -d domain.com --rsa-key-size 4096

Use only strong ciphers Use more secure ECDH Curve


ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA- ssl_ecdh_curve secp521r1:secp384r1;
AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-
RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-
RSA-AES256-SHA384";

These guidelines provides Do not follow guides just to get 100%


recommendations for very of something. Think about what you
restrictive setup. actually do at your server!

Force all connections over TLS Defend against the BEAST attack
return 301 https://$host$request_uri; ssl_prefer_server_ciphers on;

HTTP Strict Transport Security Disable compression


add_header Strict-Transport-Security gzip off;
"max-age=63072000; includeSubdomains" always;

Reduce XSS risks (Content-Security-Policy)


add_header Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self';
style-src 'self';" always;

Based on trimstray/nginx-quick-reference

Control the behavior of the Provide clickjacking protection


Referer header (Referrer-Policy) (X-Frame-Options)
add_header Referrer-Policy "no-referrer"; add_header X-Frame-Options "SAMEORIGIN" always;

Prevent some categories of Prevent Sniff Mimetype


XSS attacks (X-XSS-Protection) (X-Content-Type-Options)
add_header X-XSS-Protection "1; mode=block" always add_header X-Content-Type-Options "nosniff" always;

Deny the use of browser features (Feature-Policy)


add_header Feature-Policy "geolocation none; midi none; notifications none; push none; sync-xhr none;
microphone none; camera none; magnetometer none; gyroscope none; speaker none; vibrate none; fullscreen self;
payment none; usb none;";

You might also like