http-security-headers #

This NGINX module adds security headers and removes insecure headers, the right way (c).

Source: upstream source

Directives

security_headers_coep #

syntax: security_headers_coep require-corp | credentialless | unsafe-none | omit  ·  default: omit  ·  context: http, server, location

Controls inclusion and value of Cross-Origin-Embedder-Policy header. This header controls embedding of cross-origin resources. Special omit value will disable sending the header by the module. The default is omit because enabling this header can break sites that load third-party resources (analytics, CDN assets, ads) without proper CORS headers.

security_headers_coop #

syntax: security_headers_coop same-origin | same-origin-allow-popups | unsafe-none | omit  ·  default: omit  ·  context: http, server, location

Controls inclusion and value of Cross-Origin-Opener-Policy header. This header controls window opener relationships across origins. Special omit value will disable sending the header by the module. The default is omit because enabling this header can break popup/window.opener communication patterns. Enable explicitly only if you understand the implications.

security_headers_corp #

syntax: security_headers_corp same-site | same-origin | cross-origin | omit  ·  default: same-site  ·  context: http, server, location

Controls inclusion and value of Cross-Origin-Resource-Policy header. This header controls how your resources can be embedded by other origins. Special omit value will disable sending the header by the module. The default same-site is a safe choice that prevents cross-site embedding while allowing same-site requests.

security_headers_frame #

syntax: security_headers_frame sameorigin | deny | omit  ·  default: sameorigin  ·  context: http, server, location

Controls inclusion and value of X-Frame-Options header. Special omit value will disable sending the header by the module.

security_headers_referrer_policy #

syntax: security_headers_referrer_policy no-referrer | no-referrer-when-downgrade | same-origin | origin  ·  default: strict-origin-when-cross-origin  ·  context: http, server, location

Controls inclusion and value of Referrer-Policy header. Special omit value will disable sending the header by the module.

security_headers_text_types #

syntax: security_headers_text_types 1+ args;  ·  context: http, server, location

Sets the MIME types list for which text-oriented security headers are applied, defaulting to a builtin text-type set.

security_headers_xss #

syntax: security_headers_xss off | on | block | omit | unset  ·  default: unset  ·  context: http, server, location

Controls X-XSS-Protection header.

Example

security_headers on;
security_headers_corp same-origin;
security_headers_coop same-origin;
security_headers_coep require-corp;

↑ back to index