Skip to main content

🌐 Essential Nginx Headers for Requests & Responses

Headers help pass additional information in requests and responses. They can enhance security, manage caching, and provide context to backend servers. Below is a list of commonly used headers in Nginx with their purposes and examples.

πŸ”Ή 1. Host Header​

Purpose: Tells the backend server the domain the user is requesting.

proxy_set_header Host $host;

πŸ“Œ Explanation:

  • If a user visits example.com, Nginx forwards this as the Host header.
  • This allows the backend to know which domain is being accessed.

πŸ”Ή 2. X-Real-IP Header​

Purpose: Passes the real IP address of the user to the backend server.

proxy_set_header X-Real-IP $remote_addr;

πŸ“Œ Explanation:

  • If the user’s IP address is 192.168.1.1, this header ensures the backend sees the actual client IP instead of Nginx’s IP.

πŸ”Ή 3. X-Forwarded-For Header​

Purpose: Tracks all IP addresses that handled the request before reaching the backend.

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

πŸ“Œ Explanation:

  • Useful for logging and tracking the real origin of requests.
  • Helps when multiple proxies are involved.

πŸ”Ή 4. X-Forwarded-Proto Header​

Purpose: Indicates whether the original request was made over HTTP or HTTPS.

proxy_set_header X-Forwarded-Proto $scheme;

πŸ“Œ Explanation:

  • If the user connects via HTTPS, this header tells the backend that the request is secure.

πŸ”Ή 5. Cache-Control Header​

Purpose: Manages browser caching behavior for files served by Nginx.

add_header Cache-Control "public, max-age=3600";

πŸ“Œ Explanation:

  • Tells browsers to cache files for 1 hour (3600 seconds) to speed up repeated visits.

πŸ”Ή 6. Content-Type Header​

Purpose: Specifies the type of content being served (e.g., HTML, JSON, images).

add_header Content-Type "text/html";

πŸ“Œ Explanation:

  • Ensures the browser correctly interprets the content type.

πŸ”Ή 7. X-Content-Type-Options Header​

Purpose: Prevents the browser from interpreting files as a different type than declared.

add_header X-Content-Type-Options "nosniff";

πŸ“Œ Explanation:

  • Improves security by ensuring that a .jpg file is always treated as an image.

πŸ”Ή 8. X-Frame-Options Header​

Purpose: Prevents clickjacking attacks by restricting iframe embedding.

add_header X-Frame-Options "SAMEORIGIN";

πŸ“Œ Explanation:

  • Only allows embedding on the same domain.
  • Prevents malicious sites from loading your site in an iframe.

πŸ”Ή 9. Strict-Transport-Security (HSTS) Header​

Purpose: Forces browsers to always use HTTPS.

add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";

πŸ“Œ Explanation:

  • Enforces HTTPS for a year (31536000 seconds) across the domain and its subdomains.

πŸ”Ή 10. Access-Control-Allow-Origin Header (CORS)​

Purpose: Enables Cross-Origin Resource Sharing (CORS) to allow resources to be accessed from other domains.

add_header Access-Control-Allow-Origin "*";

πŸ“Œ Explanation:

  • Lets any domain (*) access your resources.
  • Useful for APIs or fonts.

πŸ”Ή 11. Referrer-Policy Header​

Purpose: Controls how much referrer information is shared when users navigate from your site.

add_header Referrer-Policy "no-referrer";

πŸ“Œ Explanation:

  • No referrer information is sent when users click a link.
  • Improves privacy.

πŸ”Ή 12. Custom Headers​

You can add your own headers to pass custom information.

add_header X-Custom-Header "Hello, World!";

πŸ“Œ Explanation:

  • This adds a custom header that says "Hello, World!".
  • It can be read by the backend or front-end scripts.

πŸ›  Real-Life Analogy​

Headers are like notes passed along with a message:

➑️ User β†’ Nginx β†’ Backend Server: Headers tell the backend extra details about the user's request (like who they are, where they came from, or how to handle their request).

πŸ“Œ Example:

  • "Tell the backend the user is connecting securely (HTTPS) and their real IP is 192.168.1.1."

πŸ”Ή Host Header β†’ Like writing the recipient’s name on an envelope, so it reaches the right person.
πŸ”Ή X-Real-IP Header β†’ Like including a return address, so the receiver knows who sent the letter.
πŸ”Ή X-Forwarded-Proto Header β†’ Like marking a letter as β€œURGENT” to indicate priority (HTTP vs HTTPS).
πŸ”Ή Cache-Control Header β†’ Like instructing a librarian to keep a book reserved for a week.
πŸ”Ή X-Frame-Options Header β†’ Like setting rules that only certain people can view a private document.

🎯 Using these headers effectively can improve security, performance, and functionality in your Nginx setup!