Welche Security Headers braucht Nginx?

Pflicht-Headers: Strict-Transport-Security (HSTS), X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Content-Security-Policy (CSP), Referrer-Policy: strict-origin-when-cross-origin, Permissions-Policy. Diese blockieren XSS, Clickjacking und MIME-Sniffing-Angriffe.

Wie teste ich Nginx Security Headers?

Verwende securityheaders.com für einen kostenlosen Header-Scan. Mozilla Observatory und SSL Labs (ssllabs.com/ssltest) prüfen TLS-Konfiguration. ClawGuru Security Check analysiert alle Headers in Echtzeit.

Was ist Nginx Rate Limiting?

Rate Limiting begrenzt die Anzahl der Anfragen pro IP-Adresse pro Zeiteinheit. Schützt vor Brute-Force, DDoS und API-Abuse. Konfiguration via limit_req_zone und limit_req Direktiven in nginx.conf.

Web Server Security 2026

Nginx Hardening

Q: Was ist Nginx Hardening?

Nginx Hardening umfasst alle Maßnahmen zur Absicherung des Nginx-Webservers: TLS 1.3 Enforcement, Security Headers (HSTS, CSP, X-Frame-Options), Rate Limiting, ModSecurity WAF und deaktivierung unnötiger Module.

Enterprise Web Server Security

TLS 1.3, Security Headers, Rate Limiting, ModSecurity, Brotli, OCSP Stapling & CIS Benchmarks

TLS 1.3HSTSCSPModSecurity

Was ist Nginx Hardening?

Nginx Hardening umfasst TLS 1.3 Enforcement, Security Headers, Rate Limiting und ModSecurity WAF zur Absicherung des Webservers. Ziel ist der Schutz vor DDoS, XSS und Clickjacking-Angriffen.

80% aller Nginx-Installationen haben unsichere Default-Header.

Nginx Security Grundlagen

Nginx ist der meistgenutzte Web Server weltweit. Falsche Konfiguration führt zu Datenlecks, DDoS-Anfälligkeit und Compliance-Verstößen. Dieser Guide zeigt Production-Grade Hardening.

Risiken

• Weak TLS/SSL
• Missing Headers
• No Rate Limiting
• Version Leakage

Schutz

• TLS 1.3 Only
• Security Headers
• Rate Limiting
• WAF Integration

Compliance

• PCI DSS
• SOC 2
• CIS Benchmark
• GDPR

🔍 Prüf jetzt dein System — kostenloser Security-Check

Kostenlos scannen →

Kritische Lücken? Daypass (€9) zeigt dir die Fix-Schritte.

TLS 1.3 Konfiguration

nginx.conf - SSL/TLS Hardening

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name example.com;
    
    # SSL Certificates
    ssl_certificate /etc/ssl/certs/example.com.crt;
    ssl_certificate_key /etc/ssl/private/example.com.key;
    
    # TLS 1.3 Only (Disable older versions)
    ssl_protocols TLSv1.3;
    ssl_prefer_server_ciphers off;
    
    # TLS 1.3 Ciphers (automatic, but explicit for compliance)
    ssl_ciphers TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256;
    
    # Session Configuration
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;
    
    # OCSP Stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/ssl/certs/chain.crt;
    resolver 8.8.8.8 1.1.1.1 valid=300s;
    resolver_timeout 5s;
    
    # Security Headers
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; connect-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'self';" always;
    add_header Permissions-Policy "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()" always;
}

Rate Limiting & DDoS Protection

Rate Limiting Config

# Rate Limit Zones (http block)
limit_req_zone $binary_remote_addr zone=general:10m rate=10r/s;
limit_req_zone $binary_remote_addr zone=api:10m rate=100r/m;
limit_req_zone $binary_remote_addr zone=login:10m rate=5r/m;

limit_conn_zone $binary_remote_addr zone=addr:10m;

server {
    # General rate limiting
    location / {
        limit_req zone=general burst=20 nodelay;
        limit_conn addr 10;
        proxy_pass http://backend;
    }
    
    # API stricter limits
    location /api/ {
        limit_req zone=api burst=10 nodelay;
        proxy_pass http://api_backend;
    }
    
    # Login very strict
    location /login {
        limit_req zone=login burst=3 nodelay;
        proxy_pass http://auth_backend;
    }
    
    # Return 429 instead of 503
    limit_req_status 429;
    limit_conn_status 429;
}

ModSecurity WAF Integration

ModSecurity + OWASP CRS

# Build Nginx with ModSecurity
# ./configure --add-module=/path/to/ModSecurity-nginx

server {
    modsecurity on;
    modsecurity_rules_file /etc/nginx/modsecurity.conf;
    
    location / {
        proxy_pass http://backend;
    }
}

# /etc/nginx/modsecurity.conf
SecRuleEngine On
SecRequestBodyAccess On
SecRequestBodyLimit 13107200
SecResponseBodyAccess On
SecResponseBodyLimit 524288

# Include OWASP CRS
Include /etc/modsecurity/crs/crs-setup.conf
Include /etc/modsecurity/crs/rules/*.conf

Brotli Compression

Brotli Config (better than gzip)

# http block
brotli on;
brotli_comp_level 6;
brotli_types text/plain text/css application/javascript application/json image/svg+xml;

# Static pre-compressed files
location ~ \.(css|js)$ {
    brotli_static on;
    try_files $uri$ext $uri =404;
}

# Compare: gzip vs brotli
# CSS: 14KB → gzip 4KB → brotli 2.5KB
# JS: 50KB → gzip 15KB → brotli 10KB

Nginx Security Assessment

Validieren Sie Ihre Nginx-Konfiguration gegen CIS Benchmarks.

Security Check

OpenClaw Security Hub AI Agent Security Security Runbooks Moltbot Security Methodology