{"id":1172,"date":"2024-03-20T00:00:00","date_gmt":"2024-03-19T23:00:00","guid":{"rendered":"https:\/\/www.anderson.nl\/?p=1172"},"modified":"2024-11-17T16:09:52","modified_gmt":"2024-11-17T16:09:52","slug":"aanmaken-security-headers-in-nginx","status":"publish","type":"post","link":"https:\/\/anderson.nl\/?p=1172","title":{"rendered":"Aanmaken Security Headers in NGINX"},"content":{"rendered":"\n

Om op je website de veiligheid en integriteit te waarborgen gebruik je security headers<\/strong>.
In het onderstaande artikel laat ik zien hoe ik de headers aan mijn NGINX webserver heb toegevoegd . Je gebruikt de Headers in de conf file van de webserver, deze vindt je in \/etc\/nginx\/sites-enabled\/jouwwebsite.nl. In het onderstaande voorbeeld gebruik ik de webserver die ik heb gebouwd in het artikel WordPress op een Raspberry PI.<\/p>\n\n\n\n

We testen de security headers met de website https:\/\/securityheaders.com hier is een schermafbeelding van hoe we beginnen.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Log in op je webserver via SSH, voer het onderstaande commando uit en vervang ’techblogdemo.nl’ door je eigen domeinnaam. In het configuratiebestand moet je alleen de vetgedrukte tekst toevoegen, dus de regels die beginnen met ‘add_header’.<\/p>\n\n\n\n

sudo nano \/etc\/nginx\/sites-enabled\/<\/strong>techblogdemo.nl<\/em>.conf<\/strong><\/code><\/pre>\n\n\n\n
# WordPress single site rules.\n# Designed to be included in any server {} block.\n# Upstream to abstract backend connection(s) for php\nupstream php {\n        server unix:\/run\/php\/php7.4-fpm.sock;\n}\nserver {\n        listen   80;\n        ## Your website name goes here.\nserver_name techblogdemo.nl www.techblogdemo.nl;<\/code><\/pre>\n\n\n\n
## Your Security Headers here.\n        add_header Content-Security-Policy \"default-src 'self' https:\/\/*.techblogdemo.nl; form-action 'self' https:\/\/*.techblogdemo.nl; base-uri 'self' https:\/\/*.techblogdemo.nl; frame-ancestors 'none'\";\n\tadd_header X-Content-Type-Options \"nosniff\" always;\n        add_header X-XSS-Protection \"1; mode=block\";\n        add_header X-Frame-Options \"SAMEORIGIN\";\n        add_header 'Access-Control-Allow-Origin' 'https:\/\/www.techblogdemo.nl' always;\n        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;\n        add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range' always;\n        add_header Permissions-Policy \"geolocation= (self https:\/\/techblogdemo.nl), microphone=(none)\";\n\tadd_header Strict-Transport-Security \"max-age=31536000; includeSubDomains\" always;\n\tadd_header Referrer-Policy \"strict-origin\";<\/code><\/pre>\n\n\n\n
        ## Your only path reference.\n        root \/var\/www\/techblogdemo.nl;\n        ## This should be in your http block and if it is, it's not needed here.\n        index index.php;\n        location = \/favicon.ico {\n                log_not_found off;\n                access_log off;\n        }\n        location = \/robots.txt {\n                allow all;\n                log_not_found off;\n                access_log off;\n        }\n        location \/ {\n                # This is cool because no php is touched for static content.\n                # include the \"?$args\" part so non-default permalinks doesn't break when using query string\n                try_files $uri $uri\/ \/index.php?$args;\n        }\n        location ~ \\.php$ {\n                #NOTE: You should have \"cgi.fix_pathinfo = 0;\" in php.ini\n                include fastcgi.conf;\n                fastcgi_intercept_errors on;\n                fastcgi_pass php;\n                fastcgi_buffers 16 16k;\n                fastcgi_buffer_size 32k;\n        }\n        location ~* \\.(js|css|png|jpg|jpeg|gif|ico)$ {\n                expires max;\n                log_not_found off;\n        }\n# Deny access to any files with a .php extension in the uploads directory\n# Works in sub-directory installs and also in multisite network\n# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)\n        location ~* \/(?:uploads|files)\/.*\\.php$ {\n                deny all;\n       }\n# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).\n# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)\n        location ~ \/\\. {\n                deny all;\n       }\n#WP-Admin block external access\n        location \/wp-admin {\n                allow 192.168.178.0\/24;\n                deny all;\n                include snippets\/fastcgi-php.conf;\n                fastcgi_pass unix:\/var\/run\/php\/php7.4-fpm.sock;\n                fastcgi_split_path_info ^(.+\\.php)(\/.+)$;\n   }\n        location = \/wp-login.php {\n                allow   192.168.178.0\/24;\n                deny    all;\n                include snippets\/fastcgi-php.conf;\n                fastcgi_pass unix:\/run\/php\/php7.4-fpm.sock;\n    }\n}<\/code><\/pre>\n\n\n\n
Herstart nu je nginx met het onderstaande commando: <\/p>\n\n\n\n
sudo systemctl restart nginx.service<\/strong><\/code><\/pre>\n\n\n\n
Test je website nu nogmaals op https:\/\/securityheaders.com, als het goed is heb je nu het onderstaande resultaat.<\/p>\n\n\n\n
\"\"<\/figure>\n","protected":false},"excerpt":{"rendered":"
Om op je website de veiligheid en integriteit te waarborgen gebruik je security headers. In het onderstaande artikel laat ik zien hoe ik de headers aan mijn NGINX webserver heb toegevoegd . Je gebruikt de Headers in de conf file van de webserver, deze vindt je in \/etc\/nginx\/sites-enabled\/jouwwebsite.nl. In het Lees verder<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9,14,15],"tags":[],"class_list":["post-1172","post","type-post","status-publish","format-standard","hentry","category-linux","category-raspberry-pi","category-security"],"_links":{"self":[{"href":"https:\/\/anderson.nl\/index.php?rest_route=\/wp\/v2\/posts\/1172","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/anderson.nl\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/anderson.nl\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/anderson.nl\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/anderson.nl\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1172"}],"version-history":[{"count":3,"href":"https:\/\/anderson.nl\/index.php?rest_route=\/wp\/v2\/posts\/1172\/revisions"}],"predecessor-version":[{"id":3014,"href":"https:\/\/anderson.nl\/index.php?rest_route=\/wp\/v2\/posts\/1172\/revisions\/3014"}],"wp:attachment":[{"href":"https:\/\/anderson.nl\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1172"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/anderson.nl\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1172"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/anderson.nl\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1172"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}