diff --git a/admin_manual/configuration_server/harden_server.rst b/admin_manual/configuration_server/harden_server.rst index f8ee8ad61..4b25a2b7f 100644 --- a/admin_manual/configuration_server/harden_server.rst +++ b/admin_manual/configuration_server/harden_server.rst @@ -145,14 +145,17 @@ However, these headers are added by the applications code in PHP and thus not served on static resources and rely on the fact that there is no way to bypass the intended response code path. -For optimal security administrators are encouraged to serve these basic HTTP -headers by the web server to enforce them on response. To do this Apache has to -be configured to use the ``.htaccess`` file as well as the following Apache +For optimal security, administrators are encouraged to serve these basic HTTP +headers by the web server to enforce them on response. + +Apache has to be configured to use the ``.htaccess`` file as well as the following Apache modules needs to be enabled: - mod_headers - mod_env +For nginx, please see the nginx configuration example :ref:`nginx_configuration_example` + Administrators can verify whether this security change is active by accessing a static resource served by the web server and verify that above mentioned security headers are shipped. diff --git a/admin_manual/installation/nginx_configuration.rst b/admin_manual/installation/nginx_configuration.rst index c1c1c46ef..42c1fa979 100644 --- a/admin_manual/installation/nginx_configuration.rst +++ b/admin_manual/installation/nginx_configuration.rst @@ -1,3 +1,4 @@ +.. _nginx_configuration_example: Nginx Configuration =================== @@ -34,6 +35,13 @@ Nginx Configuration ssl_certificate /etc/ssl/nginx/cloud.example.com.crt; ssl_certificate_key /etc/ssl/nginx/cloud.example.com.key; + # Add headers to serve security related headers + add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; + add_header X-Content-Type-Options nosniff; + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + # Path to the root of your installation root /var/www/owncloud/; # set max upload size @@ -105,4 +113,4 @@ Nginx Configuration - Remove **ssl_certificate** and **ssl_certificate_key**. - Remove **fastcgi_params HTTPS on;** -.. note:: If you are using php-fpm please read :ref:`using_php-fpm` \ No newline at end of file +.. note:: If you are using php-fpm please read :ref:`using_php-fpm`