How to Harden Nginx Against Common Attacks
Securing Nginx on your Breeze prevents common web attacks such as clickjacking, XSS, and information disclosure.
Hide Server Version
Prevent Nginx from revealing its version number:
server_tokens off;Add Security Headers
Place these directives in your server block:
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self';" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;Rate Limiting
Protect against brute-force and DDoS attacks:
limit_req_zone $binary_remote_addr zone=login:10m rate=5r/s;
location /login {
limit_req zone=login burst=10 nodelay;
proxy_pass http://backend;
}Restrict HTTP Methods
if ($request_method !~ ^(GET|HEAD|POST)$) {
return 405;
}Disable Unnecessary Modules
- Remove
autoindex on;from all locations - Block access to hidden files:
location ~ /\. { deny all; } - Limit request body size:
client_max_body_size 10m;
Test and reload your configuration:
sudo nginx -t && sudo systemctl reload nginxThese hardening steps significantly improve the security posture of Nginx on your Breeze.