This is a quick post that shows how I set up the “Feature-Policy”, “Referrer-Policy” and “Content Security Policy” headers in Nginx to tighter security and privacy.
Aside
If you have not read my previous posts I have now moved my blog to the awesome UpCloud host (signup using this link to get $25 free UpCloud VM credit). I compared Digital Ocean, Vultr and UpCloud Disk IO here and UpCloud came out on top by a long way (read the blog post here). Here is my blog post on moving from Vultr to UpCloud.
Buy a domain name here
Now on with the post.
Add a Feature Policy Header
Upon visiting https://securityheaders.com/ I found references to a Feature-Policy header (WC3 internet standard) that allows you to define what browse features you webpage can use along with other headers.
Google mentions the Feature-Policy header here.
Browser features that we can enable or block with feature-policy headers.
- geolocation
- midi
- notifications
- push
- sync-xhr
- microphone
- camera
- magnetometer
- gyroscope
- speaker
- vibrate
- fullscreen
- payment
Feature Policy Values
- * = The feature is allowed in documents in top-level browsing contexts by default, and when allowed, is allowed by default to documents in nested browsing contexts.
- self = The feature is allowed in documents in top-level browsing contexts by default, and when allowed, is allowed by default to same-origin domain documents in nested browsing contexts, but is disallowed by default in cross-origin documents in nested browsing contexts.
- none = The feature is disallowed in documents in top-level browsing contexts by default and is also disallowed by default to documents in nested browsing contexts.
My Final Feature Policy Header
I added this header to Nginx
This essentially disables all browser features when visitors access my site
add_header Feature-Policy "geolocation none;midi none;notifications none;push none;sync-xhr none;microphone none;camera none;magnetometer none;gyroscope none;speaker self;vibrate none;fullscreen self;payment none;";
I reloaded Nginx config and restart Nginx
Feature-Policy Results
I verified my feature-policy header with https://securityheaders.com/
Nice, Feature -Policy is now enabled.
Now I need to enable the following headers
- Content-Security-Policy (read more here)
- Referer-Policy (read more here)
Add a Referrer-Policy Header
I added this header configuration in Nginx to prevent referrers being leaked over insecure protocols.
Referrer-Policy Results
Again, I verified my referrer policy header with https://securityheaders.com/
Done, now I just need to setup Content Security Policy.
Add a Content Security Policy header
I read my old guide on Beyond SSL with Content Security Policy, Public Key Pinning etc before setting up a Content Security policy again (I had disabled it a while ago). Setting a fully working CSP is very complex and if you don’t want to review CSP errors and modify the CSP over time this may not be for you.
Read more about Content Security Policy here: https://content-security-policy.com/
I added my old CSP to Nginx
I then imported the CSP into https://report-uri.com/home/generate and enabled more recent CSP values.
I restarted Nginx
I loaded the Google Developer Console to see any CSP errors when loading my site.
I enabled reporting of CSP errors to https://fearby.report-uri.com/r/d/csp/enforce
Fyi: Content Security Policy OWASP Cheat Sheet.
You can validate CSP with https://cspvalidator.org
Now I won’t have to check my Chrome Developer Console and visitors to my site will report errors. I can see my site’s visitors CSP errors at https://report-uri.com/
Content Security Policy Results
I reviewed the reported errors and made some more CSP changes. I will continue to lock down my CSP and make more changes before making this CSP policy live.
I verified my header with https://securityheaders.com/
Testing Policies
TIP: Use the header name of “Content-Security-Policy-Report-Only” instead of “Content-Security-Policy” to report errors before making CSP changes live.
I did not want to go live too soon, I had issues with some WordPress plugins not working in the WordPress admins screens.
Reviewing Errors
Do check your reported errors and update your CSP often, I had a post with a load of Twitter-related errors.
I hope this guide helps someone.
Please consider using my referral code and get $25 UpCloud VM credit if you need to create a server online.
https://www.upcloud.com/register/?promo=D84793
Ask a question or recommend an article
[contact-form-7 id=”30″ title=”Ask a Question”]
Revision History
v1.2 OWASP Cheat Sheet.
v1.1 added info on WordPress errors.
v1.0 Initial Post