Nginx Headers Explained: The Most Important Ones
HTTP headers are metadata exchanged between a client and a server.
In Nginx, headers can be added, modified, or removed with:
add_header <name> <value> [always];
Key Nginx Headers
1. Content-Security-Policy (CSP)
Restricts which resources (JS, CSS, images) can be loaded. Example:
add_header Content-Security-Policy "default-src 'self';";
2. X-Frame-Options
Prevents clickjacking by blocking iframes.
add_header X-Frame-Options "SAMEORIGIN";
3. X-Content-Type-Options
Stops MIME type sniffing.
add_header X-Content-Type-Options "nosniff";
4. Strict-Transport-Security (HSTS)
Forces HTTPS connections.
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
5. Referrer-Policy
Controls which referrer information is sent to other sites.
add_header Referrer-Policy "no-referrer-when-downgrade";
6. Cache-Control
Defines caching rules for browsers and proxies.
add_header Cache-Control "public, max-age=3600";
7. Access-Control-Allow-Origin (CORS)
Enables cross-origin requests.
add_header Access-Control-Allow-Origin "*";
Use Cases
- Security → CSP, X-Frame-Options, X-Content-Type-Options, HSTS.
- Performance → Cache-Control.
- Integrations → CORS-заголовки.
Conclusion
Nginx headers are a powerful way to secure and optimize web apps. At minimum, you should set:
X-Frame-OptionsX-Content-Type-OptionsStrict-Transport-SecurityContent-Security-Policy