Secure Resource and Assets Storage directory with NGINX. Here is a list of all the security features present in the configuration:
- HTTP to HTTPS Redirect:
- Ensures all traffic is encrypted by redirecting HTTP requests to HTTPS.
- SSL Configuration:
- Uses secure SSL protocols (TLSv1.2, TLSv1.3) and strong ciphers (HIGH:!aNULL:!MD5).
- Security Headers:
X-Content-Type-Options nosniff
: Prevents browsers from interpreting files as a different MIME type.X-Frame-Options DENY
: Prevents clickjacking by not allowing the site to be framed.X-XSS-Protection "1; mode=block"
: Enables Cross-Site Scripting (XSS) filtering.Referrer-Policy no-referrer-when-downgrade
: Controls the amount of referrer information sent with requests.Content-Security-Policy "default-src 'self'"
: Restricts resources (scripts, styles, etc.) to be loaded only from the same origin.
- Disable Directory Listing:
autoindex off;
: Prevents listing of directory contents.
- Limit Client Request Body Size:
client_max_body_size 30M;
: Limits the size of client requests to 30 megabytes globally.client_max_body_size 10M;
: Limits the size of client requests to 10 megabytes within the/storage
location.
- Deny Access to Sensitive Files:
location ~ /\.ht { deny all; }
: Denies access to hidden files starting with.ht
.
- Host Validation:
if ($host != $server_name) { return 444; }
: Returns a 444 status code if the requested host does not match the server name.
- Custom Error Pages:
error_page 404 /storage/404.xml;
: Custom 404 error page for/storage
.error_page 403 /storage/403.xml;
: Custom 403 error page for/storage
.
- File Extension Handling:
try_files $uri =404;
: Returns a 404 status code if specific file types are not found.if ($request_filename ~* ^.*?\.(exe|php|py|pl|cgi|bin|sh|bat|dll|asp|aspx|jsp|html|htm|shtml|phtml|php3|php4|php5|php6|php7)$) { return 403; }
: Returns a 403 status code for certain executable and script file extensions.
- Deny PHP File Access:
location ~ \.php$ { deny all; }
: Denies access to PHP files within the/storage
location.
- CORS Configuration:
- Allows cross-origin requests only from the server's own domain:
add_header 'Access-Control-Allow-Origin' "$http_origin" always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, DELETE, PUT' always;
add_header 'Access-Control-Allow-Headers' 'Origin, X-Requested-With, Content-Type, Accept, Authorization' always;
- Returns a 204 status code for preflight OPTIONS requests.
- Allows cross-origin requests only from the server's own domain:
- Logging:
access_log /var/log/nginx/access.log;
: Logs access requests.error_log /var/log/nginx/error.log warn;
: Logs error messages at the warning level.
These security measures help protect the server from various types of attacks and ensure secure handling of requests and data.