When setting up a website, it is very important to know how to secure it. I'm saying this, because despite NGINX being started from
root and running as
www-data (unprivileged user), people are still not adding just a few lines, that will mostly prevent their site from getting plowed.
Firstly, make sure you have HTTPS. It encrypts the connection between the site and the visitor. Most people have it on their sites
(well, except the TOR ones), but it's good to know that it prevents sniffing (and other nasty) attacks. Moving along.
/etc/nginx/nginx.conf and uncomment
# server_tokens off. If they are not disabled, one can type a gibberish parameter to your site and see the version. You want to prevent hackers from performing recon, and giving them the version is the equivalent of mission failure. They will search or discover vulnerabilities FOR this exact version. Restart NGINX.
sudo systemctl restart nginx
sudo rc-service nginx restart
Is your web server up to date? The more popular specific software is, the more it will get targeted. More vulnerabilities are specifically discovered for old versions, and even platforms like HackTheBox, VulnHub and TryHackMe use virtual machines with old versions for training.
sudo pacman -Syyu
sudo apt update && sudo apt upgrade -yy
We're just getting started! Now we're gonna need to add headers, which will tell the clients/browsers what NOT to do!
HTTP Strict Transport Security (or HSTS) is a standard, which declares HTTPS requests as the only allowed to be transferred. Insert
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"; into your
add_header X-Frame-Options "SAMEORIGIN"; and
add_header X-XSS-Protection "1; mode=block"; help against cross-site scripting attacks, as the first line limits iFrames to send requests on the same server only.
If you're paranoid over NGINX being complicated software, which it is and has a higher attack surface like other projects, simply compile it with flags, that don't install extra features.
This isn't anything special. In fact, these settings should be integrated by default. You can always Google more ways to harden NGINX, along with other server softwares! That's about it,
ss -tupn && ss -tupln and don't forget to check your ports!