Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Nginx Configuration for Security Scans

Nginx Configuration for Security Scans

Environment

Cb Response 5.2.x and 6.x

Symptoms

Failed Qualys (or other) Security scan on Cb Response web UI

Cause

Lean Nginx config

Resolution

In /etc/cb/nginx/conf.d/includes/cb.server.body:

Original:

# Enable Strict Transport Security (HSTS)

add_header Strict-Transport-Security max-age=31536000;

add_header X-Frame-Options DENY;

add_header X-Content-Type-Options nosniff;

Updated for security scan:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

add_header X-Frame-Options SAMEORIGIN;

add_header X-Content-Type-Options nosniff;

add_header X-XSS-Protection "1; mode=block";

add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'";

add_header Public-Key-Pins 'pin-sha256="generatebase64fromcertbeingused"; \ max-age=10';

Notes

Note: Depending on scanning tool and results, you may need to adjust the content security policy for properties like img-src, font-src, etc.

You may also need to update your ciphers.

From:

ssl_ciphers   FIPS@STRENGTH:!aNULL:!eNULL;

To

ssl_ciphers FIPS@STRENGTH:!aNULL:!eNULL:!3DES:!DES;

Labels (2)
Was this article helpful? Yes No
100% helpful (2/2)
Article Information
Author:
Creation Date:
‎11-01-2017
Views:
1627
Contributors