Security Configuration¶
Access to certain private files and directories is forbidden and the following security headers are added by default:
X-Frame-Options:SAMEORIGINX-Content-Type-Options:nosniffX-XSS-Protection:1; mode=blockReferrer-Policy:strict-origin-when-cross-originContent-Security-Policy: empty (see Content-Security-Policy)
This is a reasonable default configuration for most applications. If you have other needs, see the possible options below.
Tip
You can include the default security configuration from
/etc/nginx/custom/security-<website-name>.conf into your own nginx
locations.
X-Frame-Options Header¶
The X-Frame-Options header is set to SAMEORIGIN by default.
To adjust it, set the security_header_xframe option within the
Custom JSON Website Level Configuration:
{
"security_header_xframe": "your-desired-value-for-the-x-frame-options-header"
}
X-Content-Type-Options Header¶
The X-Content-Type-Options header is set to nosniff by default.
To adjust it, set the security_header_content_type option within the
Custom JSON Website Level Configuration:
{
"security_header_content_type": "your-desired-value-for-the-x-content-type-options-header"
}
X-XSS-Protection Header¶
The X-XSS-Protection header is set to "1; mode=block by default.
To adjust it, set the security_header_xss_prot option within the
Custom JSON Website Level Configuration:
{
"security_header_xss_prot": "your-desired-value-for-the-x-xss-protection-header"
}
Referrer-Policy¶
The Referrer-Policy header is set to strict-origin-when-cross-origin by default.
To adjust it, set the security_header_refpolicy option within the
Custom JSON Website Level Configuration:
{
"security_header_refpolicy": "your-desired-value-for-the-referrer-policy-header"
}
Content-Security-Policy¶
The Content-Security-Policy header is not set by default, as it was introduced at a later
time. For the sake of consistency, we added to header with a empty (disabled) default value
so you can set it to the value of your needs by setting the security_header_content_sec
option within the Custom JSON Website Level Configuration:
{
"security_header_content_sec": "your-desired-value-for-the-content-security-policy-header"
}
Disable¶
To disable the full security configuration altogether, set security_conf
to false within the Custom JSON Website Level Configuration:
{
"security_conf": false
}
Warning
Please be aware of any ramifications, and do not disable this settings unless you absolutely know what you’re doing. Especially make sure that no private files can be accessed.