Add Extra Security to Nginx to Stop Clickjacking & XSS protection

Clickjacking is easy to implement. There are a lot of XSS example code in the web. So any one with little understanding of WEB can attack your site with these things. We can use Nginx to stop most of the attacks. But more sophisticated attacks we need Naxsi.

First lets add some lines in /etc/nginx/nginx.conf so that site does not load in iframes. We need to add the following lines in http {}. lets add a default server which will return 444.

http {
    ...
    server {
            server_name  _;  #default
            return 444;
    }
}

lets say you site is a.com and the conf is in sites-enable folder. So add the following code at the top of /etc/nginx/sites-enable/a.com

server {
    server_name     a.com;
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    root            /var/www/a/;

    if ($host !~* ^(a.com)$ ) {
        return 444;
    }
    ...
}

This will stop the site being loading in iframe and give basic XSS protection. you can add following Javascript code to show black screen if any one try to load the site in iframe.

<script type="text/javascript">
    if (top != self) {
        window.document.write("<div style='background:black;opacity:0.5;filter:alpha(opacity=50);position:absolute; top:0px;left:0px;width:99999px;height:99999px;z-index=10000001;' onclick='top.location.href=window.location.href'><div>")
    }
</script>

About Zakir Hyder

This entry was written by .

15. January 2015 by Zakir Hyder
Categories: Linux, nginx | Comments

Comments

  1. […] Clickjacking is easy to implement. There are a lot of XSS example code in the web. So any one with little understanding of WEB can attack your site with these things. We can use Nginx to stop most of the attacks. But more sophisticated attacks we need Naxsi.  […]