UN-3124 [FIX] : Add security headers and HTTP method restrictions to nginx #1726
Conversation
- Add X-Content-Type-Options header to prevent MIME sniffing - Add X-Frame-Options header to prevent clickjacking - Add X-XSS-Protection header for XSS protection - Add Referrer-Policy header for referrer control - Disable TRACE and TRACK HTTP methods - Limit allowed HTTP methods to GET, HEAD, POST in location block
Summary by CodeRabbit
✏️ Tip: You can customize this high-level summary in your review settings. WalkthroughAdded HTTP security headers ( Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Pre-merge checks❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
📜 Recent review detailsConfiguration used: Organization UI Review profile: CHILL Plan: Pro Cache: Disabled due to Reviews > Disable Cache setting Knowledge base: Disabled due to 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
jaseemjaskp
changed the title
jaseemjaskp
changed the title
jaseemjaskp
requested review from
jagadeeswaran-zipstack and
vishnuszipstack
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (1)
frontend/nginx.conf (1)
51-54: Consider removing redundant TRACE/TRACK check.The explicit TRACE/TRACK blocking is redundant with the
limit_except GET HEAD POSTblock (lines 62-63), which already denies all methods except the allowed ones. Thelimit_exceptdirective is the preferred nginx approach for method restrictions.However, keeping both provides defense in depth and earlier rejection at the server level, so this is acceptable if you prefer explicit blocking of these methods.
🔎 Optional simplification
If you prefer a simpler configuration, you can remove the server-level if block since
limit_exceptalready handles method restrictions:# Security headers add_header X-Content-Type-Options "nosniff" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; -# Disable TRACE and TRACK methods -if ($request_method ~ ^(TRACE|TRACK)$) { - return 405; -} - # If a react app URI is directly accessed we will get 404
📜 Review details
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Cache: Disabled due to Reviews > Disable Cache setting
Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting
📒 Files selected for processing (1)
frontend/nginx.conf
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
- GitHub Check: build
X-XSS-Protection is deprecated and ignored by modern browsers. Chrome removed support in 2019. Content-Security-Policy (CSP) is the recommended replacement for XSS protection.
Static file serving only requires GET and HEAD methods. POST is not needed as API calls go directly to the backend.
|
Summary
This PR adds security hardening to the nginx configuration for the frontend.
Changes
Testing