What is Content-Security-Policy and why is it important?
CSP is a security header that restricts which resources (scripts, styles, images) can be loaded on your site. It's the strongest defense against XSS attacks. Example: default-src 'self' means only load resources from your own domain.
Verify This Answer
Cross-check this information using these trusted sources:
More FAQs in Nginx Security Hardening Protecting Your Node.js App from Attacks
Add server_tokens off; to nginx.conf. This removes the version number from the Server response header and error pages, making it harder for attackers to identify known vulnerabilities in your specific Nginx version.
X-Frame-Options (SAMEORIGIN, prevents clickjacking), X-Content-Type-Options (nosniff, prevents MIME sniffing), X-XSS-Protection, Referrer-Policy, Content-Security-Policy (restricts resource loading), and Strict-Transport-Security (HSTS, forces HTTPS).
Set client_max_body_size to limit payload size, short timeouts (client_body_timeout 10, client_header_timeout 10) to prevent slowloris attacks, rate limiting (limit_req_zone with rate and burst), and connection limits (limit_conn_zone).
Still have questions?
Browse all our FAQs or reach out to our support team
