CSP Header Reverse Proxy Whitepaper

When delivering the HTML document, a special HTTP CSP Header is required that allows the browser to apply the content security policy, which we want to check here in this Whitepaper using a nginx reverse proxy.

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks.

These attacks are used for everything from data theft, to site defacement, to malware distribution. This CSP header configuration is highly secure, but it is recommended to test it first to ensure that it does not block third party scripts. Scan Security Headers is an excellent tool to analyze your CSP and HSTS response headers configuration.

There are several versions: CSP (deprecated), CSP2 (current), CSP3 (under development). As of: 2022

Check delivered CSP Headers values

In this Whitepaper we check the CSP header delivered from reverse proxy values in the Chrome browser with hit the Ctrl+Shift+I keys, navigate to the Network tab then under Headers view Response Headers.

CSP-Header Reverse Proxy Whitepaper

  when the chrome developer tools are open, you first have to reload the page, then select any element in the name column so that the response headers appear on the right pane.

Check Content Security Policy (CSP) Headers

Content Security Policy (CSP) comes with a whole range of parameters that can be used to fine-tune browser behavior.

You can use the online tool securityheaders.io to check the security headers of a website or your own web server. The rating is modeled on SSLLabs – a service for examining the TLS settings of web servers. Alternatively try serpworx.com to analyze CSP header and HSTS response header of your website or your reverse proxy.

X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised in the Content-Type headers should be followed and not be changed. The header allows you to avoid MIME type sniffing by saying that the MIME types are deliberately configured.

HTTP Strict-Transport-Security configuration

HTTP Strict-Transport-Security response header (often abbreviated as HSTS) informs browsers that the site should only be accessed using HTTPS. That any future attempts to access it using HTTP should automatically be converted to HTTPS.

add_header Content-Security-Policy "default-src https: 'self'; script-src https: 'self'; style-src https: 'self'; img-src *; frame-src 'self'; connect-src https: 'self';";
add_header X-Content-Type-Options nosniff;
add_header Content-Security-Policy "object-src 'none'; base-uri 'none'; require-trusted-types-for 'script'; frame-ancestors 'self';";
add_header Strict-Transport-Security "max-age=15552001; includeSubdomains; preload";

Check CSP Header and HSTS response Header

If you can configure your own web server or reverse proxy, then there are these settings options.

add_header X-Frame-Options SAMEORIGIN;
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
add_header Strict-Transport-Security "max-age=31536000";

CSP Header Reverse Proxy configuration

The configuration file using nginx as a reverse proxy can look like this.

server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;

  server_name example.domain.com;
  ssl_certificate /etc/nginx/ssl/ca.crt;
  ssl_certificate_key /etc/nginx/ssl/cert.key;

  # Only return Nginx in server header
  server_tokens off;

  ssl_dhparam /etc/ssl/certs/dhparam.pem;

  ssl_protocols TLSv1.2 TLSv1.3;
  # Compilation of the top cipher suites 2024
  # https://ssl-config.mozilla.org/#server=nginx
  ssl_ciphers ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-CCM:DHE-RSA-AES256-CCM8:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-CCM:DHE-RSA-AES128-CCM8:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256;

  # Perfect Forward Secrecy(PFS) is frequently compromised without this
  ssl_prefer_server_ciphers on;

  ssl_session_tickets off;
  # Enable SSL session caching for improved performance
  ssl_session_timeout 1d;
  ssl_session_cache shared:SSL:10m;
  # By default, the buffer size is 16k, which corresponds to minimal overhead when sending big responses.
  # To minimize Time To First Byte it may be beneficial to use smaller values
  ssl_buffer_size 8k;

  # OCSP stapling
  ssl_stapling on;
  ssl_stapling_verify on;

  # Security headers
  add_header X-Content-Type-Options nosniff;
  ## Content-Security-Policy (CSP): Yes
  ## No 'script-src' directive, you need to test it yourself
  add_header Content-Security-Policy "object-src 'none'; base-uri 'none'; require-trusted-types-for 'script'; frame-ancestors 'self';";
  ## The safest CSP, only block your website to be inside an inframe
  # add_header Content-Security-Policy "frame-ancestors 'self';";
  ## Strict Transport Security (HSTS): Yes
  add_header Strict-Transport-Security "max-age=15552001; includeSubdomains; preload";

 location / {
        proxy_pass http://203.0.113.10:80/;
        include proxy_params;
    }

}

You can implement CSP in Apache by adding the following entry in /etc/apache2/sites-available/example.domain.conf or into your .htaccess file:

<IfModule mod_headers.c>
        Header set X-XSS-Protection "1; mode=block"
        Header set X-Frame-Options "sameorigin"
        Header set X-Content-Type-Options "nosniff"
        Header set X-Permitted-Cross-Domain-Policies "none"
        Header set Content-Security-Policy "upgrade-insecure-requests;"
        Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
        Header set Feature-Policy "camera 'none'; fullscreen 'self'; geolocation *; microphone 'self' https://example.domain.com/*"
        Header always set Permissions-Policy "accelerometer=(),autoplay=(),camera=(),cross-origin-isolated=(),display-capture=(self),encrypted-media=(),fullscreen=*,geolocation=(self),gyroscope=(),keyboard-map=(),magnetometer=(),microphone=(),midi=(),payment=*,picture-in-picture=(),publickey-credentials-get=(),screen-wake-lock=(),sync-xhr=(),usb=(),xr-spatial-tracking=(),gamepad=(),serial=()"
<IfModule mod_headers.c>

Check whether the Apache headers module is enabled, if not already done execute these commands. Check Your Security Headers here.

$ a2enmod headers 
$ apache2ctl -M | grep headers
headers_module (shared)

Conclusion

As shown in this whitepaper, CSP header is required that allows the browser to apply the content security policy. We check the configuration followed with analyze CSP header and HSTS response headers of your website or your own reverse proxy.

By following these whitepaper such as minimizing the amount of data revealed to attackers. Using secure encryption algorithms, and implementing CSP headers and cipher suites, you can significantly enhance the security of your server.

NGINX Reverse Proxy on Debian

NGINX used as a reverse proxy on Debian Linux

The NGINX web server software is developed in C by Igor Sysoev and is released under the BSD license. NGINX is used as a web server, reverse proxy, load balancer and HTTP cache.

Due to its small size and reverse proxy functionality, NGINX is also popular for obscuring the true address of botnet commnd and control servers.

Which in turn can also be used in companies and organizations to primarily disguise unsafe Microsoft Windows servers in order to protect against possible weak points.

Install Nginx on Debian Linux

$ apt install nginx certbot python3-certbot-nginx -y

First, we can disable the default virtual host that is pre-configured when Nginx is installed.

$ unlink /etc/nginx/sites-enabled/default

We can edit nginx.conf file in order to configure the NGINX server to act as a reverse proxy here on Debian 12 (bookworm).

we can set worker_processes count based on the number of cores allocating for worker processers. Also, set worker_connections as the number of connections concurrently handled by one processor.

Create the Nginx Reverse Proxy

After disabling the virtual host, we need to create a file called example.domain.com within the /etc/nginx/sites-available directory to keep reverse proxy information.

This is done as follows by creating a file using the vi editor:

$ vi /etc/nginx/sites-available/example.domain.com

Let’s say example.domain.com is a service behind the NGINX proxy with endpoint port 80.

In the file, we need to paste in these content:

server {
    listen 80;
    listen [::]:80;
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name example.domain.com;
    server_tokens off;
    access_log /var/log/nginx/reverse_access.log;
    error_log /var/log/nginx/reverse_error.log;

    location / {
        proxy_pass http://203.0.113.10:80/;
        include proxy_params;
        try_files $uri $uri/ =404;
        proxy_redirect off;
        proxy_ssl_trusted_certificate /etc/nginx/ssl/ca.crt;
    }
}

Once completed, simply save the file and exit the vi editor by hit :wq

In the above command, the considerable point is the proxy_pass is allowing the requests coming through the Nginx reverse proxy to pass along to 203.0.113.10:80, which is the remote server where to pass.

Now, activate the directives by linking to /sites-enabled/ using the following command:

$ ln -s /etc/nginx/sites-available/example.domain.com /etc/nginx/sites-enabled/

Test Nginx Reverse Proxy configuration

Lastly, we need to run an Nginx configuration test and restart Nginx to check its performance. Type the below command to verify the Nginx functioning on the Linux terminal:

$ nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

If the above result is displayed, we can now restart Nginx:

$ systemctl restart nginx

To check whether the Nginx service is listening on port 80, the following command can be executed:

$ netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address   Foreign Address     State     PID/Program name
tcp      0    0 0.0.0.0:80          0.0.0.0:*           LISTEN    3706/nginx: master
tcp      0    0 0.0.0.0:22          0.0.0.0:*           LISTEN    681/sshd: /usr/sbin
tcp6     0    0 :::22               :::*                LISTEN    681/sshd: /usr/sbin
tcp6     0    0 :::80               :::*                LISTEN    3706/nginx: master

Content Security Policy (CSP) comes with a whole range of parameters that can be used to fine-tune browser behavior, find here.

Conclusion

NGINX is a powerful web server software used by several hosting companies mainly as reverse proxy or cache and load balancer. It was designed to handle a high volume of requests simultaneously. Therefore, it offers faster loading times and better performance than most other web servers.

Additionally, NGINX uses fewer system resources than other web server software. This feature makes it a cost-effective solution. It is also compatible with a wide range of web applications.

NGINX server provides security to backend servers that exist in the private network by hiding their identity. The backend servers are unknown to the client that are making requests. it also provides a single point of access to multiple backend servers regardless of the backend network topology.

Exit mobile version