How to Configure HSTS and Security Headers for Nginx
HTTP security headers protect your Breeze-hosted applications from common attacks like clickjacking, XSS, and protocol downgrade attacks. Adding these headers to Nginx takes only a few minutes.
Essential Security Headers
Add the following to your Nginx server block or an included snippet:
# /etc/nginx/snippets/security-headers.conf
# Force HTTPS for 1 year, include subdomains
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# Prevent clickjacking
add_header X-Frame-Options "SAMEORIGIN" always;
# Block MIME-type sniffing
add_header X-Content-Type-Options "nosniff" always;
# Control referrer information
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
# Restrict browser features
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
# Content Security Policy (adjust to your app)
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline';" always;Include in Your Server Block
server {
listen 443 ssl http2;
server_name yourdomain.com;
include snippets/security-headers.conf;
# ... rest of your config
}Test and Reload
sudo nginx -t
sudo systemctl reload nginx
# Verify headers
curl -I https://yourdomain.comHSTS Preload
Once you are confident HTTPS works everywhere, submit your domain to the HSTS preload list. This ensures browsers always use HTTPS even on the first visit, before receiving the header. Be sure all subdomains support HTTPS before enabling includeSubDomains.