UN-3124 [FIX] : Add security headers and HTTP method restrictions to nginx (#1726)

jaseemjaskp · web-flow · commit 3469b02253f8 · 2025-12-31T10:33:08.000+05:30
* feat: Add security headers and HTTP method restrictions to nginx

- Add X-Content-Type-Options header to prevent MIME sniffing
- Add X-Frame-Options header to prevent clickjacking
- Add X-XSS-Protection header for XSS protection
- Add Referrer-Policy header for referrer control
- Disable TRACE and TRACK HTTP methods
- Limit allowed HTTP methods to GET, HEAD, POST in location block

* fix: Remove deprecated X-XSS-Protection header

X-XSS-Protection is deprecated and ignored by modern browsers.
Chrome removed support in 2019. Content-Security-Policy (CSP)
is the recommended replacement for XSS protection.

* fix: Limit HTTP methods to GET and HEAD only

Static file serving only requires GET and HEAD methods.
POST is not needed as API calls go directly to the backend.
diff --git a/frontend/nginx.conf b/frontend/nginx.conf
@@ -42,12 +42,27 @@ http {
         root  /usr/share/nginx/html;
         include /etc/nginx/mime.types;
 
+        # Security headers
+        add_header X-Content-Type-Options "nosniff" always;
+        add_header X-Frame-Options "SAMEORIGIN" always;
+        add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+
+        # Disable TRACE and TRACK methods
+        if ($request_method ~ ^(TRACE|TRACK)$) {
+            return 405;
+        }
+
         # If a react app URI is directly accessed we will get 404
         # since there will be no file representing that path.
         # Below config will load index.html file in such case and
         # browser will load the proper path using JS.
         location / {
+            # Limit allowed HTTP methods
+            limit_except GET HEAD {
+                deny all;
+            }
             try_files $uri /index.html;
         }
+
     }
 }
