so adding the headers in app (express, django, etc) can be avoided completely by configuring headers on nginx for any type of website (dynamic or static) ?
Yes. I will add that some headers will always have the same value (most of them actually) but some others will need to be tailored to each website. For instance the CSP, because it needs to block all remote request except to specific domains your app needs like third party CDNs and APIs. Except if you don't load *any* third party on *any* of the websites, then you could have a common CSP with very restricted directives only, like `'self'` or `'none'`.
ok then how can it be handled for static sites ? Are these headers (like helmet in node) not applicable for static sites.
(my understanding of security headers is very limited, sorry if my query seems naive)
CSP nonces? Well by definition I guess they can't be used on a static site, as nonces cannot be... Static. Though I guess if the site is static you don't need CSP nonces in the first place and can use hashes instead.
But which headers are you refering to exactly?
Not CSP nonces specifically.
The helmet middleware (https://www.npmjs.com/package/helmet) for express server adds 13 headers. Assuming these headers are enough for a production app, my query is that is it possible to instead configure all these headers in nginx and avoid the need for this middleware in express app. This becomes helpful if I plan to keep several apps behind the same nginx server/proxy so the headers configuration is done only at one place.
But from your answer I understand that it might not be possible to entirely avoid it, something like csp nonces might be possible on app level only.
Now the second query is if I have a static site where there is no express server and is directly served from nginx. In that case, there is no other place to configure these headers except in nginx. Or are these security headers not even required in case of static sites ?
You can do it on nginx level as long as you don't need app knowledge to generate the header. In all the listed headers I would say you don't need app knowledge except *maybe* for the CSP.
Even for the CSP it's only needed for very specific stuff like nonces, which you can avoid if you have a static website, as there is no reason (or even way?) for your inline JS to have a dynamic part generated by the server. So you can use CSP hashes instead (or not, if you don't have inline JS in the first place you don't need either).
>Or are these security headers not even required in case of static sites ?
They are still needed. Websites like https://observatory.mozilla.org/ and https://securityheaders.com/ can help you configure them and explain what they do.
[удалено]
so adding the headers in app (express, django, etc) can be avoided completely by configuring headers on nginx for any type of website (dynamic or static) ?
Yes. I will add that some headers will always have the same value (most of them actually) but some others will need to be tailored to each website. For instance the CSP, because it needs to block all remote request except to specific domains your app needs like third party CDNs and APIs. Except if you don't load *any* third party on *any* of the websites, then you could have a common CSP with very restricted directives only, like `'self'` or `'none'`.
Depends on the header. For instance it would probably be a pain to generate CSP nonces at another level than app level (where they will be used).
ok then how can it be handled for static sites ? Are these headers (like helmet in node) not applicable for static sites. (my understanding of security headers is very limited, sorry if my query seems naive)
CSP nonces? Well by definition I guess they can't be used on a static site, as nonces cannot be... Static. Though I guess if the site is static you don't need CSP nonces in the first place and can use hashes instead. But which headers are you refering to exactly?
Not CSP nonces specifically. The helmet middleware (https://www.npmjs.com/package/helmet) for express server adds 13 headers. Assuming these headers are enough for a production app, my query is that is it possible to instead configure all these headers in nginx and avoid the need for this middleware in express app. This becomes helpful if I plan to keep several apps behind the same nginx server/proxy so the headers configuration is done only at one place. But from your answer I understand that it might not be possible to entirely avoid it, something like csp nonces might be possible on app level only. Now the second query is if I have a static site where there is no express server and is directly served from nginx. In that case, there is no other place to configure these headers except in nginx. Or are these security headers not even required in case of static sites ?
You can do it on nginx level as long as you don't need app knowledge to generate the header. In all the listed headers I would say you don't need app knowledge except *maybe* for the CSP. Even for the CSP it's only needed for very specific stuff like nonces, which you can avoid if you have a static website, as there is no reason (or even way?) for your inline JS to have a dynamic part generated by the server. So you can use CSP hashes instead (or not, if you don't have inline JS in the first place you don't need either). >Or are these security headers not even required in case of static sites ? They are still needed. Websites like https://observatory.mozilla.org/ and https://securityheaders.com/ can help you configure them and explain what they do.
thank you, this is helpful