Back to Linter
Errorsecurity

Missing Security Headers

Essential HTTP security headers that should be present in every Nginx configuration.

What This Rule Checks

This rule checks whether standard security headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy, etc.) are enabled in your Nginx configuration.

Why It Matters

Security headers instruct browsers on how to handle your content. Without them, your site is vulnerable to clickjacking (X-Frame-Options), MIME sniffing attacks (X-Content-Type-Options), and information leakage (Referrer-Policy).

Bad — Triggers this rule

server {
    listen 80;
    server_name example.com;
    # No security headers — browsers use defaults
}

Good — Passes this rule

server {
    listen 80;
    server_name example.com;

    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header X-XSS-Protection "1; mode=block" always;
}

How to Fix

Enable security headers in Configen's Security section, or manually add the `add_header` directives shown above to your server block.

Related Rules

security-server-tokenssecurity-ssl-missing

Check your config now

Paste your nginx.conf and get instant feedback on 20+ rules.

Open Linter →