fix(nginx): add security headers to static assets location block#196
Open
andrerfneves wants to merge 1 commit into
Open
fix(nginx): add security headers to static assets location block#196andrerfneves wants to merge 1 commit into
andrerfneves wants to merge 1 commit into
Conversation
In nginx, add_header directives are NOT inherited from the server level to a location block that defines its own add_header. The static assets location block set add_header Cache-Control, which prevented server-level security headers (X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, Referrer-Policy) from being applied to cached static assets. This fix duplicates the security headers inside the static assets location block so that all responses receive consistent headers regardless of which location block processes them.
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
In nginx,
add_headerdirectives at the server level are NOT inherited by a location block that defines its ownadd_header. The static assets location block setadd_header Cache-Control "public, immutable", which prevented server-level security headers from being applied to cached static assets.Why
Without this fix, cached static assets (JS, CSS, fonts, images) served via the static assets location block would not receive:
X-Frame-OptionsX-Content-Type-OptionsX-XSS-ProtectionReferrer-PolicyWhile these assets are served same-origin, consistent security headers across all responses follow security best practices and are important when assets are served through CDNs or reverse proxies.
Changes
nginx.conf: Added the four security headers to the static assets location block so they are applied regardless of which location processes the requestTest Plan
location /)