id summary reporter owner description type status priority milestone component version resolution keywords cc uname nginx_version 2025 additional headers not sent when directory index is forbidden https://stackoverflow.com/users/1164131/niko-s-p "running nginx in docker (nginx:mainline, currently 1.19.0) to serve static files, I have added the usual set of headers via add_headers like this: {{{ server { listen *:80 default_server; server_name _; server_tokens off; add_header Strict-Transport-Security ""max-age=15768000; includeSubDomains; preload"" always; add_header Content-Security-Policy ""default-src 'self'; style-src 'self' 'unsafe-hashes' 'unsafe-inline';""; add_header Referrer-Policy strict-origin; add_header X-Content-Type-Options nosniff; add_header X-Frame-Options SAMEORIGIN; add_header X-XSS-Protection 1; location / { root /usr/share/nginx/html; index index.html index.htm; } } }}} When a request is made to a path without index file, directory listing is denied (rightfully so) and a 403 status is returned. When this happens, none of the extra headers are returned. These additional headers should always be returned, it makes us fail security certifications because automated scanners find pages without the proper headers set. While I don't have an example at hand, I could imagine that there is a scenario where being able to circumvent additional headers during a request in this way might enable or at least aid some kind of malicious action." defect closed major nginx-core 1.19.x invalid add_header directory_index security https://stackoverflow.com/users/1164131/niko-s-p 4.15.0-64-generic #73-Ubuntu SMP "nginx version: nginx/1.19.0 built by gcc 8.3.0 (Debian 8.3.0-6) built with OpenSSL 1.1.1d 10 Sep 2019 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fdebug-prefix-map=/data/builder/debuild/nginx-1.19.0/debian/debuild-base/nginx-1.19.0=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'"