Behind the Scenes of y2z.travel’s A+ Security Ranking and Compliance with PCIDSS, HIPAA, and NIST
When it comes to securing your website, there are numerous factors to consider. For y2z.travel, achieving an A+ ranking in security scans and compliance with industry standards like PCIDSS, HIPAA, and NIST required implementing a variety of security features.
In this post, we’ll explore some of these key security features and discuss how to enable them in Nginx.
- Content Security Policy
- Cookies
- Cross-origin
- HTTP Strict Transport Security
- Redirection
- Referrer Policy
- Subresource Integrity
- X-Content-Type-Options
- X-Frame-Options
- X-XSS-Protection
1. Content Security Policy (CSP)
CSP is a security feature that helps prevent cross-site scripting (XSS) attacks by allowing you to specify which sources of content are allowed to be loaded on your website.
This is how the CSP header looks like
Content-Security-Policy:
default-src 'none';
font-src 'self' https://fonts.googleapis.com https://fonts.gstatic.com https://cdnjs.cloudflare.com;
img-src 'self' https://via.placeholder.com https://storage.googleapis.com;
object-src 'none';
script-src 'self' https://cdnjs.cloudflare.com https://cdn.jsdelivr.net https://code.jquery.com https://ga.jspm.io https://buttons.github.io https://www.googletagmanager.com 'nonce-d4ee92Kq3PIjJaOl3C6ivw==';
style-src 'self' https://cdn.jsdelivr.net https://fonts.googleapis.com https://cdnjs.cloudflare.com 'nonce-d4ee92Kq3PIjJaOl3C6ivw==';
base-uri 'none';
form-action 'self';
frame-ancestors 'none';
connect-src 'self' https://maps.googleapis.com https://raw.githubusercontent.com https://www.google-analytics.com;
frame-src 'none';
report-uri /csp-violation-report-endpoint
Here, we need to specify every source that our website access. Above you can see there are many CSP directives which allow us to specify how we deal with each source.
There are multiple options each CSP directive
provides, I’m explaning some of them now.
'none'
— All requests are blocked (both internal & external)
'self'
— Only self/internal requests are allowed. Again inline is not allowed here
'nonce'
— This is a special directive to allow all inline
example:
<script nonce="d4ee92Kq3PIjJaOl3C6ivw==">
const inline = 1;
// …
</script>
<style nonce="d4ee92Kq3PIjJaOl3C6ivw==">
#inline-style {
background: red;
}
</style>
There is a special directive called
report-uri
— This is the reporting URL, you have to implement a simple post request and store in db. Browsers respect this URI and makes a post call with all necessary details of the requests that are blocked due to CSP.
To enable CSP in Nginx, you can add the following HTTP header to your server block:
add_header Content-Security-Policy "default-src 'none'; report-uri /csp-violation-report-endpoint"
It’s highly recommended that first enable CSP in report only mode, for this you need to use the following header
Content-Security-Policy-Report-Only: default-src 'none'; report-to /csp-violation-report-endpoint/
In Nginx, it would translate to
add_header Content-Security-Policy-Report-Only "default-src 'none'; report-uri /csp-violation-report-endpoint;";
For deeper understanding, please check the mozilla docs here & here
2. Cookies
Cookies can be a security vulnerability if not handled properly. To ensure your cookies are secure, you can enable the HttpOnly and Secure flags, which help prevent cross-site scripting (XSS) attacks and ensure that cookies are only transmitted over HTTPS.
Sample Cookie Header
Set-Cookie: path=/; secure; HttpOnly; SameSite=Lax
To enable these flags in Nginx, add the following line to your server block:
add_header Set-Cookie "cookie_name=cookie_value; Path=/; Secure; HttpOnly; SameSite=Lax";
For deeper understanding, please check the mozilla docs here
3. Cross-origin Resource Sharing (CORS)
CORS is a security feature that allows you to specify which domains are allowed to access your website’s resources.
Sample CORS Headers
Access-Control-Allow-Origin: *
*
— Specifies all origins, Which is not recommended.
The most common use of CORS is when your frontend and backend are deployed under two different domains or subdomains. Let’s say frontend is hosted on xyz.com
and backend is hosted on backend.xyz.com
, Now we can enable CORS in the backend saying that xyz.com
can access our backend.
Header corresponds to
Access-Control-Allow-Origin: https://xyz.com
To enable CORS in Nginx, add the following HTTP header to your server block:
add_header 'Access-Control-Allow-Origin' 'https://xyz.com';
For deeper understanding, please check the mozilla docs here
4. HTTP Strict Transport Security (HSTS)
HSTS is a security feature that forces users to access your website over HTTPS, even if they type in “http://” in their browser’s address bar.
To enable HSTS in Nginx, add the following HTTP header to your server block:
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
For deeper understanding, please check the mozilla docs here
5. Redirection
Redirecting HTTP traffic to HTTPS is an important security measure. Here we are giving a permanent redirect 301
To enable this redirection in Nginx, add the following lines to your server block:
if ($scheme != "https") {
return 301 https://$server_name$request_uri;
}
6. Referrer Policy
Referrer policy determines how much information is sent to other websites when a user clicks a link on your website. There are multiple policies that we can use here
no-referrer
no-referrer-when-downgrade
origin
origin-when-cross-origin
same-origin
strict-origin
strict-origin-when-cross-origin
unsafe-url
To enable a stricter referrer policy in Nginx, add the following HTTP header to your server block:
add_header Referrer-Policy "strict-origin-when-cross-origin";
For deeper understanding, please check the mozilla docs here
7. Subresource Integrity (SRI)
SRI is a security feature that helps prevent third-party attacks by verifying the integrity of external resources (such as JavaScript libraries) loaded on your website.
It uses cryptographic hashes to ensure that the content of a resource has not been modified. If the hash does not match the expected value, the browser will not load the resource, preventing potential security risks.
Just make sure whenever you are loading any external javascript or stylesheets, integrity is provided. If a hacker gets hold of the external site and changes the content in file, the updated file content cryptographic hash value (integrity) does not match with the original integrity. Hence the modified resouce won’t load.
<script
src="https://cdnjs.cloudflare.com/ajax/libs/bootstrap/5.2.3/js/bootstrap.min.js"
integrity="sha512-1/RvZTcCDEUjY/CypiMz+iqqtaoQfAITmNSJY17Myp4Ms5mdxPS5UV7iOfdZoxcGhzFbOm6sntTKJppjvuhg4g=="
crossorigin="anonymous"
referrerpolicy="no-referrer">
</script>
<link
rel="stylesheet"
href="https://cdnjs.cloudflare.com/ajax/libs/bootstrap/5.2.3/css/bootstrap.min.css"
integrity="sha512-SbiR/eusphKoMVVXysTKG/7VseWii+Y3FdHrt0EpKgpToZeemhqHeZeLWLhJutz/2ut2Vw1uQEj2MbRF+TVBUA=="
crossorigin="anonymous"
referrerpolicy="no-referrer"
/>
For deeper understanding, please check the mozilla docs here
8. X-Content-Type-Options
This header helps prevent MIME sniffing attacks in web browsers. It instructs the browser to honor the declared content type of a response and not try to guess it based on the response body. This helps prevent malicious content from being executed or interpreted as a different content type.
To enable X-Content-Type-Options in Nginx, add the following HTTP header to your server block:
add_header X-Content-Type-Options "nosniff";
9. X-Frame-Options
This helps prevent clickjacking attacks in web browsers. It instructs the browser whether to allow a web page to be displayed in a frame or iframe. By denying this permission, it prevents malicious websites from loading a victim website inside a hidden frame and tricking users into interacting with it.
To enable X-Frame-Options in Nginx, add the following HTTP header to your server block:
add_header X-Frame-Options "SAMEORIGIN";
10. X-XSS-Protection
This header helps prevent cross-site scripting (XSS) attacks in web browsers. It enables the browser’s built-in XSS filter, which scans web pages for potential XSS attacks and blocks or sanitizes the script code. This helps protect users from malicious scripts that could steal sensitive data or perform unauthorized actions on their behalf.
To enable X-XSS-Protection in Nginx, add the following HTTP header to your server block:
add_header X-XSS-Protection "1; mode=block";
Enabling these security features in Nginx can help protect your website from a range of security threats, and is a crucial step towards achieving compliance with industry standards like PCIDSS, HIPAA, and NIST. To implement these security features in Nginx, you’ll need to edit your server block configuration file. If you’re not familiar with Nginx configuration, be sure to back up your configuration files and test your changes in a staging environment before making them live.
Conclusion
At y2z.travel, implementing these security features was a key factor in achieving their A+ ranking in security scans and compliance with industry standards. By following their lead and enabling these security features in your own Nginx server, you can help ensure that your website is secure and compliant, too.