DEV Community

Nyra Amsi
Nyra Amsi

Posted on • Originally published at irexta.com

From Grade F to A+: The Ultimate HTTP Security Headers Guide

#nginx #devops #webdev #security

If you deploy a standard Nginx or Apache server today, it is insecure by default. While your firewall might be strong, your browser communication is wide open to MIME Sniffing, Clickjacking, and XSS attacks.

At iRexta, we audited hundreds of servers only to find most running on a "Grade F" security score. Here is how you fix it using the "Big 6" Security Headers.

๐Ÿ›ก๏ธ The Security Checklist

  1. HSTS (Strict-Transport-Security): Forces HTTPS. No more SSL stripping.
  2. CSP (Content-Security-Policy): The primary defense against XSS.
  3. Permissions-Policy: Explicitly disables access to Camera/Mic/Geo APIs.
  4. X-Content-Type-Options: Stops the browser from "guessing" file types (MIME sniffing).
  5. X-Frame-Options: Prevents your site from being framed (Anti-Clickjacking).
  6. Referrer-Policy: Protects user privacy during navigation.

๐Ÿ› ๏ธ Nginx Implementation Snippet

Add this to your server block to harden your iRexta Dedicated Server instantly:

# 1. Force HTTPS
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

# 2. Anti-Sniffing & Clickjacking
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;

# 3. Privacy & API Lockdown
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;

# 4. CSP (Start with Report-Only)
add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' [https://www.google-analytics.com](https://www.google-analytics.com); style-src 'self' 'unsafe-inline' [https://fonts.googleapis.com](https://fonts.googleapis.com); report-uri [https://your-endpoint.com/csp-report](https://your-endpoint.com/csp-report);" always;
Enter fullscreen mode Exit fullscreen mode

The "Don't Break Your Site" Rule

The most common mistake is enabling a strict CSP and seeing your Google Fonts or Analytics die instantly.

The Fix: Use Content-Security-Policy-Report-Only first. Monitor your logs for a week, whitelist your legitimate scripts, and then switch to the full enforced policy.

Verify Your Grade
Once configured, head over to SecurityHeaders.com and scan your domain. Seeing that Grade A+ isn't just for showโ€”it's enterprise-grade hardening.

Need the full guide for Apache or IIS? Check out our Original Security Headers Tutorial on the iRexta blog.

Ready for Hardened Infrastructure? Explore iRexta Dedicated Servers and take full control of your stack.

Top comments (0)