http-security-headers #
This NGINX module adds security headers and removes insecure headers, the right way (c).
Source: upstream source
Directives
security_headers_coep #
syntax: security_headers_coep require-corp | credentialless | unsafe-none | omit · default: omit · context: http, server, location
Controls inclusion and value of Cross-Origin-Embedder-Policy header. This header controls embedding of cross-origin resources. Special omit value will disable sending the header by the module. The default is omit because enabling this header can break sites that load third-party resources (analytics, CDN assets, ads) without proper CORS headers.
security_headers_coop #
syntax: security_headers_coop same-origin | same-origin-allow-popups | unsafe-none | omit · default: omit · context: http, server, location
Controls inclusion and value of Cross-Origin-Opener-Policy header. This header controls window opener relationships across origins. Special omit value will disable sending the header by the module. The default is omit because enabling this header can break popup/window.opener communication patterns. Enable explicitly only if you understand the implications.
security_headers_corp #
syntax: security_headers_corp same-site | same-origin | cross-origin | omit · default: same-site · context: http, server, location
Controls inclusion and value of Cross-Origin-Resource-Policy header. This header controls how your resources can be embedded by other origins. Special omit value will disable sending the header by the module. The default same-site is a safe choice that prevents cross-site embedding while allowing same-site requests.
security_headers_frame #
syntax: security_headers_frame sameorigin | deny | omit · default: sameorigin · context: http, server, location
Controls inclusion and value of X-Frame-Options header. Special omit value will disable sending the header by the module.
security_headers_referrer_policy #
syntax: security_headers_referrer_policy no-referrer | no-referrer-when-downgrade | same-origin | origin · default: strict-origin-when-cross-origin · context: http, server, location
Controls inclusion and value of Referrer-Policy header. Special omit value will disable sending the header by the module.
security_headers_text_types #
syntax: security_headers_text_types 1+ args; · context: http, server, location
Sets the MIME types list for which text-oriented security headers are applied, defaulting to a builtin text-type set.
security_headers_xss #
syntax: security_headers_xss off | on | block | omit | unset · default: unset · context: http, server, location
Controls X-XSS-Protection header.
Example
security_headers on;
security_headers_corp same-origin;
security_headers_coop same-origin;
security_headers_coep require-corp;