Web Security Task

[wardaowais]

Select Topic Area

Question

Body

I’m currently working on implementing security headers for the website https://boctrustmfb.com. The headers I’m focusing on include:
1.Strict-Transport-Security
2.Content-Security-Policy
3. X-Frame-Options
4.X-Content-Type-Options
5. Referrer-Policy
6.Permissions-Policy

Current Situation:
These headers are already implemented in the backend, but I believe they are being applied only to API routes (e.g., /api/*), and not to the main website pages (like /, /about, etc.).

I also tried to add the headers manually via the Nginx configuration file using SSH — the configuration seems fine and the headers are included there.

Testing:
When I test the live site using header checker tools like https://securityheaders.com, most headers are not detected.

I also checked the Network tab (Response Headers) in browser DevTools the headers are missing from the main website responses.

Questions / Possible Causes:
If headers are present in the backend, shouldn’t they at least appear on API responses? Or are they not being forwarded to the frontend?

If we’ve defined the headers in Nginx, why are they not visible on the live site responses?

Could it be due to:

The backend overriding Nginx headers?

The Nginx headers not being applied to all location blocks?

The headers not applied with always, so only working on 200 responses?

Or maybe a reverse proxy setup that skips certain configs?

Reference:
Website: https://boctrustmfb.com

[bernoussama]

try accessing your backend from the server it's deployed in, or run the production build on your machine with no reverse proxy(nginx) and test it using curl from the command line. chatgpt can help you with commands just give it the endpoints. if you can see the headers, it's your reverse proxy that is misconfigured.

[EdwLearn]

Troubleshooting Security Headers Implementation

Great question! Security headers not showing up despite backend and Nginx configuration is a common issue. Let me help you diagnose and fix this step by step.

Immediate Debugging Steps

1. Test specific endpoints directly:

# Test main page
curl -I https://boctrustmfb.com

# Test API endpoint
curl -I https://boctrustmfb.com/api/some-endpoint

# Test with verbose output
curl -v https://boctrustmfb.com

Check Nginx configuration priority:

# Make sure headers are in the correct location block
server {
    # Global headers (apply to all locations)
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    
    location / {
        # Frontend/static files
        # Headers should inherit from server block
    }
    
    location /api/ {
        # API routes
        proxy_pass http://backend;
        # Headers should also be applied here
    }
}

[wardaowais]

Yeah i also tried this approach and check using the curl I but was unable to done with it

[mazi-samuel]

Possible Causes:

1. Nginx Configuration Scope:

   • The headers might only be applied to specific location blocks (like /api/) but not to the root (/) or other static pages
   • Check if your Nginx config has separate server or location blocks that might be missing the header directives

2. Header Override:

   • Your backend application might be overwriting the headers set by Nginx
   • This is particularly common with frameworks like Express.js, Django, or Laravel that can set their own headers

3. Missing 'always' Parameter:

   • For non-200 responses, headers might be missing if not configured with 'always'

4. Reverse Proxy Behavior:

   • If you're using a reverse proxy setup, the headers might be getting stripped
   • Some CDNs or proxy services might modify or remove headers

5. Caching:

   • Cached responses might not include the latest headers
   • Browser might be serving cached versions without headers
     Recommended Troubleshooting Steps:

6. Verify Nginx Configuration:
   Check your Nginx config for something like this:
   server {
   listen 443 ssl;
   server_name boctrustmfb.com;

   add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
   add_header X-Frame-Options "DENY" always;
   add_header X-Content-Type-Options "nosniff" always;
   add_header Referrer-Policy "strict-origin-when-cross-origin" always;
   add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()" always;
   add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https:; style-src 'self' 'unsafe-inline' https:; img-src 'self' data: https:; font-src 'self' https:; connect-src 'self' https:; frame-src 'self'; object-src 'none';" always;
   
   location / {
       proxy_pass http://backend;
   }
   
   location /api/ {
   }
   

   }

7. Check for Header Clearing:
   Look for any directives that might be clearing headers, like:
   proxy_hide_header

8. Test with curl:
   Use curl to verify headers without browser caching:
   curl -I https://boctrustmfb.com

9. Check Multiple Response Codes:
   Test with different response codes to see if the 'always' parameter is needed

10. Verify Backend Headers:
    Check if your backend is setting different headers that might override Nginx headers

11. Check for CDN/Proxy:
    If you're using Cloudflare or similar services, check their header settings
    Immediate Action Items:

12. Full Nginx Config Audit:
    Share your complete Nginx configuration (redacting sensitive info) for more specific advice

13. Test API vs Non-API Routes:
    Compare headers between:
    curl -I https://boctrustmfb.com/
    curl -I https://boctrustmfb.com/api/some-endpoint

14. Check Error Logs:
    Look for any relevant messages in Nginx error logs:
    sudo tail -f /var/log/nginx/error.log

[github-actions[bot]]

🕒 Discussion Activity Reminder 🕒

This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions:

1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as out of date at the bottom of the page.

2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own.

3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution.

Note: This dormant notification will only apply to Discussions with the Question label. To learn more, see our recent announcement.

Thank you for helping bring this Discussion to a resolution! 💬

[github-actions[bot]]

🕒 Discussion Activity Reminder 🕒

This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions:

1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as out of date at the bottom of the page.

2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own.

3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution.

Note: This dormant notification will only apply to Discussions with the Question label. To learn more, see our recent announcement.

Thank you for helping bring this Discussion to a resolution! 💬

[wardaowais]

Close this

[wardaowais]

Issue Resolved