Facebook Pixel

Nginx Security Updates and Headers Hardening Your Node.js Server

Learn how to update Nginx with security headers, rate limiting, access control, and other security hardening measures for your Node.js application.

Nginx Security Updates and Headers

Security hardening is an ongoing process. This guide covers updating Nginx with security headers and protections.

1. Add Security Headers

server { listen 443 ssl; server_name api.yourdomain.com; # Security headers add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';" always; add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always; }

2. Hide Nginx Version

# In http block server_tokens off;

3. Rate Limiting

# In http block limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s; limit_conn_zone $binary_remote_addr zone=conn:10m; server { location /api/ { limit_req zone=api burst=20 nodelay; limit_conn conn 10; proxy_pass http://localhost:3000; } }

4. Disable Unused HTTP Methods

server { if ($request_method !~ ^(GET|POST|PATCH|PUT|DELETE|HEAD|OPTIONS)$ ) { return 405; } }

5. Block Hidden Files and .env

location ~ /\. { deny all; access_log off; log_not_found off; } location ~ /\.env { deny all; }

6. Limit Body Size

# Prevent large payload attacks client_max_body_size 10M;

7. SSL Hardening

server { listen 443 ssl http2; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256; ssl_prefer_server_ciphers off; # OCSP stapling ssl_stapling on; ssl_stapling_verify on; # SSL session caching ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; }

8. Access Control for Admin

location /admin/ { allow your.office.ip.here; allow 10.0.0.0/8; deny all; proxy_pass http://localhost:3000; }

Applying Security Updates

# 1. Update config sudo nano /etc/nginx/sites-available/devtinder # 2. Test sudo nginx -t # 3. Reload sudo systemctl reload nginx # 4. Verify security headers # Visit https://securityheaders.com # Or: curl -I https://yourdomain.com

The Takeaway

Nginx security updates include: adding security headers (HSTS, X-Frame-Options, X-Content-Type-Options, CSP), hiding server tokens (server_tokens off), rate limiting (limit_req_zone, limit_conn_zone), blocking hidden files and .env, limiting body size (client_max_body_size), disabling unused HTTP methods, SSL hardening (TLSv1.2/1.3, OCSP stapling), and IP-based access control for admin routes. Verify with securityheaders.com.

Strict-Transport-Security (HSTS, forces HTTPS for 1 year), X-Frame-Options (SAMEORIGIN, prevents clickjacking), X-Content-Type-Options (nosniff), X-XSS-Protection, Referrer-Policy, Content-Security-Policy (CSP, restricts resource loading), and Permissions-Policy (disables unnecessary browser features).

Define limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s in the http block. Add limit_req zone=api burst=20 nodelay in the location block. This allows 10 requests per second per IP with a burst of 20. Also use limit_conn_zone for concurrent connection limits.

Add server_tokens off; to the http block in nginx.conf. This removes the version number from the Server response header and error pages, making it harder for attackers to identify known vulnerabilities in your specific version.

Add location ~ /\. { deny all; } to block all hidden files (starting with a dot). Add location ~ /\.env { deny all; } specifically for .env files. This prevents accidental exposure of secrets through Nginx.

Visit https://securityheaders.com and enter your domain. It grades your security headers from A+ to F. Alternatively, use curl -I https://yourdomain.com to see the response headers. Fix any missing headers and reload Nginx.

Ready to master Node.js completely?

Want to upskill yourself, crack your next interview, and get your dream job? Join our comprehensive course to dive deeper with high-quality video tutorials, solve interview questions, and a premium community.

Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.