Security Configuration

Access to certain private files and directories is forbidden and the following security headers are added by default:

X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Referrer-Policy: strict-origin-when-cross-origin
Content-Security-Policy: empty (see Content-Security-Policy)

This is a reasonable default configuration for most applications. If you have other needs, see the possible options below.

Tip

You can include the default security configuration from /etc/nginx/custom/security-<website-name>.conf into your own nginx locations.

X-Frame-Options Header

The X-Frame-Options header is set to SAMEORIGIN by default. To adjust it, set the security_header_xframe option within the Custom JSON Website Level Configuration:

{
  "security_header_xframe": "your-desired-value-for-the-x-frame-options-header"
}

X-Content-Type-Options Header

The X-Content-Type-Options header is set to nosniff by default. To adjust it, set the security_header_content_type option within the Custom JSON Website Level Configuration:

{
  "security_header_content_type": "your-desired-value-for-the-x-content-type-options-header"
}

X-XSS-Protection Header

The X-XSS-Protection header is set to "1; mode=block by default. To adjust it, set the security_header_xss_prot option within the Custom JSON Website Level Configuration:

{
  "security_header_xss_prot": "your-desired-value-for-the-x-xss-protection-header"
}

Referrer-Policy

The Referrer-Policy header is set to strict-origin-when-cross-origin by default. To adjust it, set the security_header_refpolicy option within the Custom JSON Website Level Configuration:

{
  "security_header_refpolicy": "your-desired-value-for-the-referrer-policy-header"
}

Content-Security-Policy

The Content-Security-Policy header is not set by default, as it was introduced at a later time. For the sake of consistency, we added to header with a empty (disabled) default value so you can set it to the value of your needs by setting the security_header_content_sec option within the Custom JSON Website Level Configuration:

{
  "security_header_content_sec": "your-desired-value-for-the-content-security-policy-header"
}

Disable

To disable the full security configuration altogether, set security_conf to false within the Custom JSON Website Level Configuration:

{
  "security_conf": false
}

Warning

Please be aware of any ramifications, and do not disable this settings unless you absolutely know what you’re doing. Especially make sure that no private files can be accessed.