Posts

Showing posts with the label Nginx

Nginx with Naked Domains

This right I'm going naked on everything! Non-www and everything lowercase. Just to simplify my urls. If you couldn't write it out naturally or if it takes too long then I avoid making it a path. Special cases like unique guid url parameters being the exception. For the sites that have a ton parameters this its understandable but for the domains this rule really should be applied. In some cases might say the path is up to the application however if the framework doesn't handle this is a fall back. https://superuser.com/questions/432674/nginx-remove-www-from-https https://www.digitalocean.com/community/tutorials/how-to-redirect-www-to-non-www-with-nginx-on-ubuntu-14-04 http://nginx.org/en/docs/http/server_names.html

Content Security Policy & Best Practices

Image
This article is mostly on configuration with nginx and maybe a little on IIS. Notes: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors https://csp-evaluator.withgoogle.com https://securityheaders.io/

Nginx Best Practices Extended

Based on a gisthub configuration, which I thought was worth going through piece by piece. https://gist.github.com/plentz/6737338 https://github.com/BIAndrews/nginx-compliance-config HTTP2  https://www.digitalocean.com/community/tutorials/how-to-set-up-nginx-with-http-2-support-on-ubuntu-16-04 https://developers.google.com/web/tools/lighthouse/audits/http2 https://docs.microsoft.com/en-us/iis/get-started/whats-new-in-iis-10/http2-on-iis Avoid If https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/ SSL Configuration https://mozilla.github.io/server-side-tls/ssl-config-generator/ https://stackoverflow.com/questions/24594971/how-to-changehide-the-nginx-server-signature  Strict Transport Security (HSTS) https://hstspreload.org/ https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/ https://en.wikipedia.org/wiki/DNS_Certification_Authority_Authorization https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility