Adding and removing nginx response headers

If you’re using nginx as your preferred web server, reverse proxy, load balancer or HTTP cache, then you might be familiar with HTTP response headers.

Nginx allows you to customise those HTTP response headers very easily.

Adding response headers

Adding response headers is quite forward, as you can use the add_header directive documented here. Here’s an example which should help against cross-site scripting:

The directive can be defined on an  httpserver or  location context. This is quite straightforward, isn’t it?

Removing and modifying response headers

The documentation states the following:

There could be several add_header directives. These directives are inherited from the previous level if and only if there are no add_header directives defined on the current level.

So, let’s say the http context defines a  X-Frame-Options header, which is fine for all of your available sites (i.e. servers), except for one. For this case, you’ve to set the header in your server context again:

However – and this is important – as you now have defined a header in your  server context, all the remaining headers defined in the  http  context will no longer be inherited. Means, you’ve to define them in your server context again (or alternatively ignore them if they’re not important for your site).

But what about removing pre-defined headers of the http context in your server context?
Let’s say we want to remove that pre-defined  X-Frame-Options header in our server context.
With the inheritance lesson learned before, we can now simply set any header in the server context to get rid of the headers in the http  context, or we can use the following workaround:

Adding headers to a proxy upstream

If you’re using nginx as reverse proxy and you want to add headers to your proxy upstream, then you’re interested in the proxy_set_header directive documented here. Here’s an example of our default proxy headers:

Please note the  $host$remote_addr and $proxy_add_x_forwarded_for variables are defined by deafult by nginx. A list of all variables can be found here.

Better control of HTTP headers

To take better control of your custom and even default nginx headers, you should’ve a look at the headers-more-nginx-module.
Unfortunately, you’ve to compile nginx and this module all by yourself, as this module isn’t distributed with nginx.

Security-related HTTP headers

There are some security-related HTTP response headers. On our servers, we’re setting the following headers by default:

The Strict-Transport-Security header (often abbreviated as HSTS) tells the client that the resource should only be accessed by HTTPS. This helps for MITM (man-in-the-middle) attacks, as the client “forces” an SSL-encrypted connection in case it visited the site before.

The X-Frame-Options and X-Content-Type-Options are used to prevent cross-site scripting, for example in iframes.

Leave a Reply

Your email address will not be published. Required fields are marked *