getpagespeed / ngx_security_headers Goto Github PK

Allow specifying CSP header using "free-form" string.
There is no one-suits everyone value.
The module should support setting it anyway, as this will eliminate having to have header-more module completely, in most setups.

Hi.
I'm not able to install it using yum although yum is working on my server. it says unable to open....
is there any other way i can download and install the module.
thanks logs are below:
sudo yum -y install https://extras.getpagespeed.com/release-latest.rpm
Failed to set locale, defaulting to C
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
Cannot open: https://extras.getpagespeed.com/release-latest.rpm. Skipping.
Error: Nothing to do

Hi,

It's not security related, but would it be possible to insert the h3 svc header?
Or otherwise create a function to insert a custom header defined in nginx.conf?

I'm use the link install nginx on centos 7 https://nginx.org/en/linux_packages.html#RHEL-CentOS
use the follow command install ngx_security_headers

sudo yum -y install https://extras.getpagespeed.com/release-latest.rpm
sudo yum -y install nginx-module-security-headers

I'm not find the ngx_http_security_headers_module.so file

It's potentially dangerous for the default to include preload in the header, because of any misconfiguration or mistake. If a browser adds a domain into the preload list without the proper configuration or requirements, that domain will be broken, unless removed from the preload list which can take time and is a manual process.

https://hstspreload.org/#opt-in

Having preload added to the header should be an opt-in setting, rather than hard coded into the module by default. It also doesn't make sense for an nginx server that may just serving subdomains. The preload value would only apply on the root domain.

The compile on other platforms module states the following:

./configure --with-compat --add-module=../ngx_security_headers
make 
make install

However, I am trying to compile this module on Ubuntu Server, but there is no .configure file in the root directory, so the ./configure --with-compat --add-module=../ngx_security_headers command doesn't work. How am I supposed to configure this module and compile it? Please help.

I'm using a Windows server with nginx and I want to use this to hide nginx in header. It appears I need to compile nginx with this module which seems to be quite complicated. Is there any released binary that I can use it easily?

Just here to chime in and say that if you are using ModSecurity-nginx / ModSecurity (v3), there is a conflict and you'd see errors like this in nginx error log. The module itself doesn't cause this, but I had the directive security_headers on; which caused this. Haven't tested with other directives. Hope this helps anyone coming across this one. Difficult to find.

2019/08/20 19:56:31 [alert] 2957#2957: worker process 2980 exited on signal 6
terminate called after throwing an instance of 'std::bad_alloc'

How about, before anything else this module is great.

Is there any way to overwrite the Referrer-Policy header?

I have seen that this module adds the header with the default "no-referrer-when-downgrade" and if I add the add_header instruction with the value "no-referrer" two headers with different values are added.

Currently, Mozilla and Google do not recommend setting X-XSS-Protection to enabled state due to the fact that the XSS auditor can even create new XSS vulnerabilities in otherwise secure websites. X-XSS-Protection: 0 is preferred.

NGINX 1.18.0

I tested this module out and while it did add all other security headers, the Strict-Transport-Security header was not output.

I have a server block defined with listen directives for SSL, configured with a valid LetsEncrypt certificate.

I can only assume this condition for whatever reason does not detect an SSL request.

https://github.com/GetPageSpeed/ngx_security_headers/blob/master/src/ngx_http_security_headers_module.c#L258-L265

nginx version: nginx/1.18.0 (Ubuntu)
built with OpenSSL 1.1.1f 31 Mar 2020
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-KTLRnK/nginx-1.18.0=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-compat --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-mail=dynamic --with-mail_ssl_module

First of all, thank you for this module. I'm using it on all of my servers with succes.
I did a fresh git pull. Unfortunately, preload doesn't work.

Configure flags:

nginx version: nginx/1.21.6
built by gcc 8.3.0 (Debian 8.3.0-6) 
built with OpenSSL 3.0.2 15 Mar 2022
TLS SNI support enabled
configure arguments: --prefix=/opt/nginx --user=www-data --group=www-data --with-http_v2_module --with-http_ssl_module --with-http_v2_hpack_enc --with-pcre-jit --with-file-aio --with-http_flv_module --with-http_geoip_module --with-http_gunzip_module --with-http_mp4_module --with-http_realip_module --with-http_stub_status_module --with-threads --with-libatomic --with-zlib=/usr/local/src/zlib --with-zlib-opt='-O3 -march=native -flto -fuse-linker-plugin' --with-http_gzip_static_module --with-openssl=/usr/local/src/openssl-3.0.2 --with-openssl-opt='no-zlib enable-rfc3779 enable-ec_nistp_64_gcc_128 no-tests no-unit-test -DCFLAGS=-O3 -march=native -flto -fuse-linker-plugin' --add-module=/usr/local/src/headers-more-nginx-module --add-module=/usr/local/src/echo-nginx-module --add-module=/usr/local/src/ngx_http_substitutions_filter_module --add-module=/usr/local/src/srcache-nginx-module --add-module=/usr/local/src/redis2-nginx-module --add-module=/usr/local/src/ngx_http_redis-0.3.9 --add-module=/usr/local/src/ngx_devel_kit --add-module=/usr/local/src/set-misc-nginx-module --add-module=/usr/local/src/ngx_brotli --add-module=/usr/local/src/ngx_security_headers --add-module=/usr/local/src/ngx_immutable --with-cc-opt='-DTCP_FASTOPEN=23 -march=native -flto -O3 -fuse-linker-plugin -Wno-error=strict-aliasing -fstack-protector-strong -D_FORTIFY_SOURCE=2' --with-ld-opt='-lrt -z relro -fstack-protector-strong'

In the nginx config I added security_headers on; in the main http block.

Header output:

❯ curl --compressed -IL "https://www.weblogzwolle.nl/"
HTTP/2 200 
server: nginx
date: Wed, 16 Mar 2022 21:20:51 GMT
content-type: text/html; charset=UTF-8
vary: Accept-Encoding
set-cookie: wordpress_test_cookie=WP%20Cookie%20check; path=/
link: <https://www.weblogzwolle.nl/wp-json/>; rel="https://api.w.org/"
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
strict-transport-security: max-age=63072000; includeSubDomains
x-frame-options: SAMEORIGIN
referrer-policy: strict-origin-when-cross-origin
x-cache: HIT
x-cache-2: BYPASS
public-key-pins: pin-sha256="fAYmhNNLaXs7XP8rVh/3+nACEdZefovkCJt8cZQFcDQ="; pin-sha256="C8AGueBZ5S3lFTVCU+/S3Fteku3NGRa0MHkeMsjvAKk="; pin-sha256="6tMzCDSUXMz7f8wecFye+mg5jgw7125rFQFODpx49xc="; pin-sha256="d4ilv6cF8gYda+qqKSdDulWJR7nfZdt1M6Hi/494i9Y="; max-age=5184000; report-uri="https://hansvaneijsden.report-uri.com/r/d/hpkp/enforce";
content-security-policy: upgrade-insecure-requests
expect-ct: enforce,max-age=604800
content-encoding: br

System:

❯ uname -a
Linux vps 5.10.0-0.bpo.11-amd64 #1 SMP Debian 5.10.92-1~bpo10+1 (2022-02-03) x86_64 GNU/Linux

I have this problem on all of my servers and vhosts.
What am I doing wrong? Please let me know if you need more information, I'm happy to provide it.

Cachability that is exposed via HTTP headers, is a security risk.

URLs which are found to be uncacheable all the time through those headers pose a threat
of denial of service against them.

List of common cachability headers:

• x-varnish
• x-cache
• x-cache-hits
• x-cache-status (so essentially x-cache*)

While in-development, all hidden headers are good to be shown, e.g. #3 would hide caching headers, which need to be seen.

Need a method to bypass hiding based on IP/cookie/etc.

E.g. Age (exposing cacheability) or Via should be hidden.

Add ability to show the headers by passing a special secret request var or header.

Implement new upcoming HTTP Cross-Origin headers.

Sources:

• https://owasp.org/www-project-secure-headers/
• https://scotthelme.co.uk/coop-and-coep/

release prebuilt package in apt repository