Documentation
Security Headers in Nginx
Complete guide to configuring security headers in Nginx to protect your web application.
Why Security Headers?
Security headers tell browsers how to behave when handling your site's content. They protect against XSS, clickjacking, MIME sniffing, and other attacks.
Essential Security Headers
X-Frame-Options
Prevents your page from being loaded in an iframe (clickjacking protection):add_header X-Frame-Options "SAMEORIGIN" always;X-Content-Type-Options
Prevents MIME type sniffing:add_header X-Content-Type-Options "nosniff" always;Referrer-Policy
Controls how much referrer information is sent:add_header Referrer-Policy "strict-origin-when-cross-origin" always;Content-Security-Policy
Controls which resources the browser can load:add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline';" always;X-XSS-Protection
Enables browser's built-in XSS filter:add_header X-XSS-Protection "1; mode=block" always;Hide Server Version
Hide the Nginx version from response headers:
server_tokens off;All-in-One Example
server {
# ...
server_tokens off;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Strict-Transport-Security "max-age=63072000" always;
}Use Configen to add all security headers with one click!
Other Guides
How to Set Up Nginx Reverse Proxy
Complete guide to configuring Nginx as a reverse proxy for your web applications.
Nginx SSL/TLS Configuration GuideStep-by-step guide to configuring SSL/TLS on Nginx for secure HTTPS connections.
Nginx Load Balancing ExplainedLearn how to configure Nginx load balancing with upstream blocks, methods, and health checks.
Ready to build your config?
Use Configen to generate or audit your server configuration — no coding required.