Web アプリケーションのセキュリティを Nginx のレスポンスヘッダーで強化してみました。

追加対象のレスポンスヘッダー

Cache-Control: no-store
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN

追加前の状態確認

$ curl -I https://test.mnrst.com/
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Date: Sat, 06 Jan 2024 00:37:40 GMT
Server: nginx/1.24.0
Cache-Control: max-age=3, must-revalidate
Vary: Accept-Encoding, Cookie
X-Powered-By: PHP/8.2.8

Nginx の設定ファイルに下記を追加

add_header Cache-control no-store;
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options SAMEORIGIN;

追加後の状態確認

$ curl -I https://test.mnrst.com/
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Date: Sat, 06 Jan 2024 00:52:46 GMT
Server: nginx/1.24.0
Cache-Control: max-age=3, must-revalidate
Cache-Control: no-store
Vary: Accept-Encoding, Cookie
X-Powered-By: PHP/8.2.8
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN

参考

https://nginx.org/en/docs/http/ngx_http_headers_module.html

タグ: Nginx