Change Nginx Version Header:
server_tokens off;
Set buffer size limitations for clients:
## Start: Size Limits & Buffer Overflows ##
client_body_buffer_size 1K;
client_header_buffer_size 1k;
client_max_body_size 1k;
large_client_header_buffers 2 1k;
## END: Size Limits & Buffer Overflows ##
Control timeouts to improve server performance:
## Start: Timeouts ##
client_body_timeout 10;
client_header_timeout 10;
keepalive_timeout 5 5;
send_timeout 10;
## End: Timeouts ##
Limit simultaneous connections:
limit_zone slimits $binary_remote_addr 5m;
limit_conn slimits 5;
Allow access to specific domains only:
if ($host !~ ^(yourdomain.com|www.yourdomain.com)$ ) {
return 444;
}
Limit available HTTP methods:
if ($request_method !~ ^(GET|HEAD|POST)$ ) {
return 444;
}
Block specific User-Agents:
if ($http_user_agent ~* (BadBot1|BadBot2)) {
return 403;
}
Deny access for specific referers:
if ( $http_referer ~* (spamdomain1|spamdomain2) ) {
return 403;
}
Avoid clickjacking attacks:
add_header X-Frame-Options SAMEORIGIN;
Disable content-type sniffing on some browsers:
add_header X-Content-Type-Options nosniff;
Enable Cross-site scripting (XSS) filter:
add_header X-XSS-Protection "1; mode=block";
Enforce HTTPS only connections:
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; always";
Enable CSP Protection:
add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval' *.youtube.com maps.gstatic.com *.googleapis.com *.google-analytics.com *.googletagmanager.com cdnjs.cloudflare.com assets.zendesk.com connect.facebook.net; frame-src 'self' *.youtube.com assets.zendesk.com *.facebook.com s-static.ak.facebook.com tautt.zendesk.com; object-src 'self'";
add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval' *.googleapis.com *.google-analytics.com *.googletagmanager.com *.google.com cdnjs.cloudflare.com ; frame-src 'self' assets.zendesk.com; object-src 'none'";
Disable legacy cipher suites:
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM;
Remove X-Powered-By Header:
proxy_hide_header X-Powered-By;