I have a Node.js application, running on port 8080, with a NGINX server running in front and acting as a caching reverse-proxy.
I want NGINX to cache everythnig except one page, the dashbaord of my application: /dashboard
.
Here is my configuration so far:
server {
listen 80;
server_name mydomain.name;
# SECURITY
add_header X-Frame-Options SAMEORIGIN;
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' https://gravatar.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; object-src 'none'";
...
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
location / {
add_header X-Proxy-Cache $upstream_cache_status;
proxy_cache STATIC;
proxy_pass http://127.0.0.1:8080;
}
location /dashboard {
proxy_pass http://127.0.0.1:8080/dashboard;
}
}
Caching seems to be working fine, but the security headers (X-XSS-Protection
, Content-Security-Policy
, etc.) seem to be only added to /dashboard
and not to cached pages like /
or /login
.
Is there somethin wrong with my current configuration? What can I do to fix the problem?