Setting Security Headers for WordPress Headless Setup with Nginx

To set security headers for a WordPress headless setup using Nginx, follow these steps:

1. Enable Security Headers:
- Enable security headers in your Nginx configuration file. This can be done by adding the following lines to the `http` block:

nginx
     http {
         ...
         security_headers on;
         security_headers "Content-Security-Policy: default-src 'self'; object-src 'none'; script-src 'self'; style-src 'self'; img-src 'self'; frame-src 'self';";
         ...
     }

- This sets the `Content-Security-Policy` header to restrict the sources of content that can be executed within your WordPress site[1][2].

2. Set HTTP Headers:
- Set HTTP headers in your Nginx configuration file. This can be done by adding the following lines to the `http` block:

nginx
     http {
         ...
         add_header X-Frame-Options "SAMEORIGIN";
         add_header X-XSS-Protection "1; mode=block";
         add_header X-Content-Type-Options "nosniff";
         add_header Referrer-Policy "no-referrer";
         add_header Content-Security-Policy "default-src 'self'; object-src 'none'; script-src 'self'; style-src 'self'; img-src 'self'; frame-src 'self';";
         ...
     }

- This sets various HTTP headers to improve security, such as `X-Frame-Options`, `X-XSS-Protection`, `X-Content-Type-Options`, and `Referrer-Policy`[1][2].

3. Configure Nginx:
- Configure Nginx to serve WordPress files. This can be done by adding the following lines to the `server` block:

nginx
     server {
         ...
         root /var/www/wordpress;
         index index.php index.html index.htm;
         server_name localhost;
         ...
     }

- This sets the root directory for WordPress files and specifies the index files to serve[3].

4. Configure WordPress:
- Configure WordPress to use the Nginx configuration. This can be done by adding the following lines to the `wp-config.php` file:

php
     define('WP_HOME', 'https://localhost');
     define('WP_SITEURL', 'https://localhost');

- This sets the home and site URLs for WordPress to use the Nginx configuration[4].

5. Test and Verify:
- Test and verify that the security headers are set correctly by checking the HTTP headers in your browser or using tools like `curl` or `wget`[1][2].

By following these steps, you can set security headers for a WordPress headless setup using Nginx, ensuring a more secure and robust configuration for your web application.

Citations:
[1] https://really-simple-ssl.com/how-to-set-security-headers-on-apache-and-nginx/
[2] https://wordpress.org/support/topic/how-to-set-security-headers-correctly/
[3] https://stackoverflow.com/questions/78337529/unusual-nginx-wordpress-configuration-issues-headless-wordpress-static-site-f
[4] https://forum.hestiacp.com/t/nginx-wordpress-security-headers-part-ii/9278
[5] https://serverfault.com/questions/1093728/configure-nginx-for-wordpress-headless-with-nextjs

Nginx security headers for WordPress headless setup