Really Simple SSL

Security Headers on NGINX

Table of Contents

For Security Headers with WP Engine, an Apache/NGINX hybrid, please visit this article

Security Headers on NGINX

contrary to Apache based webservers which use an .htaccess file, Really Simple SSL Pro cannot write security headers directly to your NGINX configuration. NGINX uses an nginx.conf file which is usually located in the /etc/nginx/ folder or a specific site configuration file in the etc/nginx/sites-enabled/ folder. This is outside of the servers public content, therefore Really Simple SSL cannot access it. Don’t worry, the security headers can still be used in NGINX.

The headers can be added via PHP or to the NGINX configuration directly. Do note that adding the headers via PHP can result in issues when using caching. We therefore recommend to add the headers to your nginx.conf file. This is something you can do yourself or ask your hosting provider to do for you. Below you will find the correct syntax for each recommend security header.

Adding HSTS

Depending if you want to enable preloading for your website, one of these two headers can be added to the server block in your NGINX configuration:

Without preload:

add_header Strict-Transport-Security: max-age=31536000

With preload:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

Adding Upgrade-Insecure-Requests

add_header Content-Security-Policy upgrade-insecure-requests;

Adding X-XSS-Protection

add_header X-XSS-Protection "1; mode=block";

Adding X-Content-Type-Options

add_header X-Content-Type-Options "nosniff";

Adding Expect-CT, Certificate Transparency

add_header Expect-CT 'enforce; max-age=7776000';

Adding Expect-CT, Certificate Transparency

add_header Expect-CT 'enforce; max-age=7776000';

Adding X-Frame-Options header

add_header X-Frame-Options "SAMEORIGIN";



Related articles

Join our mailing list - 8 Tips & Tricks in your inbox over the next 8 weeks!