Securing the nginx configuration file

Dear colleagues,

I would like to share here some configuration options that can be applied to the nginx web server configuration (./config/nginx.conf) to help improve the security of your ERPNext server. This applies for self-hosted ERPNext servers.

For each server { ... } block, these options can be added

# don't send the nginx version number in error pages and server header
server_tokens off;
# config to enable HSTS (HTTP Strict Transport Security)
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains;";
# protect against cross-site attacks
add_header X-Frame-Options "SAMEORIGIN";
# This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
add_header X-XSS-Protection "1; mode=block";
# when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
# to disable content-type sniffing on some browsers.
add_header X-Content-Type-Options nosniff;
# with Content Security Policy (CSP) enabled (and a browser that supports it),
# you can tell the browser that it can only download content from the domains you explicitly allow
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; font-src 'self'; frame-src 'self'; object-src 'none'";

After saving changes, make sure to run

$ sudo service nginx reload

In some cases, the CSP might be rather strict (observe possible errors in your browser console).

Thanks to login_denied for his support in this matter. Any feedback is appreciated!


is there any plan to include this in bench setup nginx or bench setup production commands?

Anyone who wants it, is free to open a PR