Nginx Security Headers Configuration

Security headers instruct browsers how to treat your content. nginx injects them with add_header, but headers can be dropped or duplicated across nested location blocks—often you centralize snippets and use always so error pages receive the same policy. Start Content-Security-Policy in report-only mode, tighten gradually, and pair Strict-Transport-Security only when HTTPS is stable everywhere.

Header	Role	Caveat
Strict-Transport-Security	Forces HTTPS for a duration	Long max-age is hard to unwind
Content-Security-Policy	Restricts scripts and loads	Breaks third-party embeds if too tight
Cross-Origin-Opener-Policy	Isolates browsing context	Can affect cross-window integrations

nginx SSL, nginx configuration, server blocks, Apache SSL (compare)

Frequently Asked Questions

Q.Why use add_header with the always flag?

Without always, nginx may omit headers on error responses—policies should usually apply to 4xx and 5xx pages too.

Q.Why do headers disappear in nested locations?

Child locations replace parent header lists unless you re-include shared snippets—inheritance is not merged by default.

Q.How should I roll out Content-Security-Policy?

Begin with Content-Security-Policy-Report-Only, collect violations, then enforce once sources are accurate.

Q.What does HSTS preload imply?

Preload lists require HTTPS on apex and subdomains with a long max-age—mistakes can lock users out until fixed.

Q.What is Permissions-Policy used for?

It disables or scopes powerful browser features such as camera, microphone, and geolocation per origin.

Q.How does Referrer-Policy help privacy?

It limits how much URL data is sent to third parties on navigation and subresource requests.

Q.Should I rely on X-Frame-Options or CSP for clickjacking?

Prefer CSP frame-ancestors for modern browsers; X-Frame-Options is simpler but less expressive.

Q.What is cross-origin isolation?

COOP and CORP combine with Cross-Origin-Embedder-Policy to enable stronger process isolation for some advanced APIs.

Header

Role

Caveat

Strict-Transport-Security

Forces HTTPS for a duration

Long max-age is hard to unwind

Content-Security-Policy

Restricts scripts and loads

Breaks third-party embeds if too tight

Cross-Origin-Opener-Policy

Isolates browsing context

Can affect cross-window integrations

Frequently Asked Questions

Q.Why use add_header with the always flag?

Without always, nginx may omit headers on error responses—policies should usually apply to 4xx and 5xx pages too.

Q.Why do headers disappear in nested locations?

Child locations replace parent header lists unless you re-include shared snippets—inheritance is not merged by default.

Q.How should I roll out Content-Security-Policy?

Begin with Content-Security-Policy-Report-Only, collect violations, then enforce once sources are accurate.

Q.What does HSTS preload imply?

Preload lists require HTTPS on apex and subdomains with a long max-age—mistakes can lock users out until fixed.

Q.What is Permissions-Policy used for?

It disables or scopes powerful browser features such as camera, microphone, and geolocation per origin.

Q.How does Referrer-Policy help privacy?

It limits how much URL data is sent to third parties on navigation and subresource requests.

Q.Should I rely on X-Frame-Options or CSP for clickjacking?

Prefer CSP frame-ancestors for modern browsers; X-Frame-Options is simpler but less expressive.

Q.What is cross-origin isolation?

COOP and CORP combine with Cross-Origin-Embedder-Policy to enable stronger process isolation for some advanced APIs.

Nginx Security Headers Configuration

Related

Frequently Asked Questions

Q.Why use add_header with the always flag?

Q.Why do headers disappear in nested locations?

Q.How should I roll out Content-Security-Policy?

Q.What does HSTS preload imply?

Q.What is Permissions-Policy used for?

Q.How does Referrer-Policy help privacy?

Q.Should I rely on X-Frame-Options or CSP for clickjacking?

Q.What is cross-origin isolation?

Nginx Security Headers Configuration

Related

Frequently Asked Questions

Q.Why use add_header with the always flag?

Q.Why do headers disappear in nested locations?

Q.How should I roll out Content-Security-Policy?

Q.What does HSTS preload imply?

Q.What is Permissions-Policy used for?

Q.How does Referrer-Policy help privacy?

Q.Should I rely on X-Frame-Options or CSP for clickjacking?

Q.What is cross-origin isolation?