The following two headers are also useful: add_header Strict-Transport-Security ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		throwaway125 on Sept 27, 2013 \| parent \| context \| favorite \| on: An nginx configuration for security The following two headers are also useful: `add_header Strict-Transport-Security max-age=31536000; add_header X-Frame-Options DENY;` The first one tells browsers it should never try to visit the http version of this site, even if the user clicks on a http link the browser will visit the https version. This helps prevent ssl stripping attacks. The second prevents browsers from including this site in an iframe or frame, which helps prevent clickjacking attacks. If your site depends on those you can also set the option to SAMEORIGIN. https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Option... https://developer.mozilla.org/en-US/docs/Security/HTTP_Stric... https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping

plentz on Sept 27, 2013 | [–]

We currently are setting Strict-Transport-Security with rails, but as I said in the comments of the blog, I think that setting this header inside nginx could be a better idea.

plentz on Sept 28, 2013 | [–]

Done! Just updated the post with your suggestions. Thanks for that

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact