Home Arrow Icon Knowledge base Arrow Icon Global Arrow Icon Nginx security headers for WordPress headless setup
    Headless WordPress


Nginx security headers for WordPress headless setup


To set security headers for a WordPress headless setup using Nginx, follow these steps:

1. Enable Security Headers:
- Enable security headers in your Nginx configuration file. This can be done by adding the following lines to the `http` block: 

nginx
     http {
         ...
         security_headers on;
         security_headers "Content-Security-Policy: default-src 'self'; object-src 'none'; script-src 'self'; style-src 'self'; img-src 'self'; frame-src 'self';";
         ...
     }

- This sets the `Content-Security-Policy` header to restrict the sources of content that can be executed within your WordPress site[1][2].

2. Set HTTP Headers:
- Set HTTP headers in your Nginx configuration file. This can be done by adding the following lines to the `http` block: 

nginx
     http {
         ...
         add_header X-Frame-Options "SAMEORIGIN";
         add_header X-XSS-Protection "1; mode=block";
         add_header X-Content-Type-Options "nosniff";
         add_header Referrer-Policy "no-referrer";
         add_header Content-Security-Policy "default-src 'self'; object-src 'none'; script-src 'self'; style-src 'self'; img-src 'self'; frame-src 'self';";
         ...
     }

- This sets various HTTP headers to improve security, such as `X-Frame-Options`, `X-XSS-Protection`, `X-Content-Type-Options`, and `Referrer-Policy`[1][2].

3. Configure Nginx:
- Configure Nginx to serve WordPress files. This can be done by adding the following lines to the `server` block: 

nginx
     server {
         ...
         root /var/www/wordpress;
         index index.php index.html index.htm;
         server_name localhost;
         ...
     }

- This sets the root directory for WordPress files and specifies the index files to serve[3].

4. Configure WordPress:
- Configure WordPress to use the Nginx configuration. This can be done by adding the following lines to the `wp-config.php` file: 

php
     define('WP_HOME', 'https://localhost');
     define('WP_SITEURL', 'https://localhost');

- This sets the home and site URLs for WordPress to use the Nginx configuration[4].

5. Test and Verify:
- Test and verify that the security headers are set correctly by checking the HTTP headers in your browser or using tools like `curl` or `wget`[1][2].

By following these steps, you can set security headers for a WordPress headless setup using Nginx, ensuring a more secure and robust configuration for your web application.

Citations:
[1] https://really-simple-ssl.com/how-to-set-security-headers-on-apache-and-nginx/
[2] https://wordpress.org/support/topic/how-to-set-security-headers-correctly/
[3] https://stackoverflow.com/questions/78337529/unusual-nginx-wordpress-configuration-issues-headless-wordpress-static-site-f
[4] https://forum.hestiacp.com/t/nginx-wordpress-security-headers-part-ii/9278
[5] https://serverfault.com/questions/1093728/configure-nginx-for-wordpress-headless-with-nextjs