Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
23.1 Legacy Series
»
nginx Security Headers Config... missing custom??
« previous
next »
Print
Pages: [
1
]
Author
Topic: nginx Security Headers Config... missing custom?? (Read 1284 times)
shanelord
Newbie
Posts: 17
Karma: 0
nginx Security Headers Config... missing custom??
«
on:
July 31, 2023, 03:14:52 am »
I'm trying to get my security headers to be A+ via
https://securityheaders.com/
At the moment I'm getting an A (info below).
The main issue - no way to set the
Permissions-Policy
Am I missing the way to add custom entries into the Security Headers in the GUI?
I've opened an issue on the
OPNsense Github
Thanks,
Shane.
---
How I get an A (your needs may vary):
1. Create or edit the default security header under "HTTP(S)/Security Headers".
General Tab
1. Set Referrer to "No Referrer"
2. Set XSS Protection to "Block"
3. Set Content Security Policy (CSP) to "Enable"
Default Source, Script, Image, Stylesheet, Media, Font, Worker and Form Tabs
1. Set to Enable
Everything else leave as default
Frame Tab
Frame Source
1. Set to Enable
2. Tick to Enable Same Origin (recommended)
Frame Ancestors
1. Set to Enable
2. Tick to Enable Same Origin (recommended)
Websockets
Leave as default
2. Add the new Security Header to your HTTP Server under "HTTP(S)/HTTP Server"
- Edit your server, and at the very bottom under "Security Header" select your new security header and save it.
«
Last Edit: August 02, 2023, 02:42:23 am by shanelord
»
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
23.1 Legacy Series
»
nginx Security Headers Config... missing custom??