Custom Query (2311 matches)
Results (76 - 78 of 2311)
| Ticket | Resolution | Summary | Owner | Reporter |
|---|---|---|---|---|
| #2025 | invalid | additional headers not sent when directory index is forbidden | ||
| Description |
running nginx in docker (nginx:mainline, currently 1.19.0) to serve static files, I have added the usual set of headers via add_headers like this: server {
listen *:80 default_server;
server_name _;
server_tokens off;
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-hashes' 'unsafe-inline';";
add_header Referrer-Policy strict-origin;
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options SAMEORIGIN;
add_header X-XSS-Protection 1;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
}
When a request is made to a path without index file, directory listing is denied (rightfully so) and a 403 status is returned. When this happens, none of the extra headers are returned. These additional headers should always be returned, it makes us fail security certifications because automated scanners find pages without the proper headers set. While I don't have an example at hand, I could imagine that there is a scenario where being able to circumvent additional headers during a request in this way might enable or at least aid some kind of malicious action. |
|||
| #550 | wontfix | Add method to remove or change deafult headers. | ||
| Description |
By default nginx responds with a number of headers, for example I have a response listed below. These are a good set of defaults because they work properly with a large range of clients. However a number of these headers are unnecessary for conforming HTTP 1.1 clients and it would be nice to be able to remove them. Example Response: HTTP/1.1 200 OK Server: nginx/1.4.7 Date: Mon, 28 Apr 2014 19:07:11 GMT Content-Type: text/html Content-Length: 2820 Last-Modified: Wed, 23 Apr 2014 20:22:58 GMT Connection: keep-alive ETag: "53582122-b04" Accept-Ranges: bytes For example 'Connection: keep-alive' is not a standard header and it assumed for HTTP 1.1 servers. 'Accept-Ranges: bytes' is unnecessary and some people consider sending a 'Server' bad practice because it can attract automated attacks for known vulnerabilities. The http_headers_more module can modify and remove some headers but some are always set by the server. It would be nice to have a solution that can modify *any* header. |
|||
| #292 | fixed | Add mime application/font-woff for `woff` fonts | ||
| Description |
Woff has been assigned a mime-type, see links below for details. Would be nice to have this among the nginx default mime types.
It would be the following entry in the
Links to authoritative mime resources: http://www.iana.org/assignments/media-types/application/font-woff http://www.w3.org/TR/WOFF/#appendix-b |
|||
