Nginx Security Headers on Arch Linux

Security headers instruct browsers to apply additional protections such as XSS filtering, clickjacking prevention, and content-type sniffing control.

Step 1 – Create a shared snippet

Create /etc/nginx/snippets/security-headers.conf:

# Prevent clickjacking
add_header X-Frame-Options "SAMEORIGIN" always;

# Stop MIME-type sniffing
add_header X-Content-Type-Options "nosniff" always;

# XSS protection (legacy browsers)
add_header X-XSS-Protection "1; mode=block" always;

# HSTS (only after confirming HTTPS works)
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

# Referrer policy
add_header Referrer-Policy "strict-origin-when-cross-origin" always;

# Permissions policy
add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;

# Content-Security-Policy (adjust to your app)
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';" always;

Step 2 – Include in server blocks

server {
    listen 443 ssl http2;
    server_name example.com;
    include snippets/security-headers.conf;
    ...
}

Step 3 – Test and reload

nginx -t && systemctl reload nginx

Step 4 – Verify with curl

curl -sI https://example.com | grep -E 'X-Frame|X-Content|Strict'

Or use securityheaders.com online.