Lusca and nginx best practices #89
Comments
|
Hey @titoesteves! TLDR; I would take advantage of lusca within your app directly for the security policies you mentioned and use nginx above that for SSL, filter, forwarding, etc purposes. It is really common to to setup these security policies in lusca middleware via your app explicitly. And with the use of meddleware (middleware via And then you may see some configuration in nginx to forward the necessary information from the host like: Of course this just pertains to some of the security policies you mentioned and that lusca can handle. I would go with using lusca in the app for what it provides and then using nginx to filter routes or deal with SSL at that level. |
|
Hey @shaunwarman Thanks for the reply. So it is my understanding that there are no concerns in setting in setting security policies such as csp, csrf, hsts within my application versus setting them in nginx. Is this correct? Also, are there any configuration settings besides those you mentioned that I would have to configure in nginx in order for lusca to work correctly? Thanks in advance. |
|
Hey @titoesteves Sorry for the late reply. It just really depends on the trade-offs in performance and convenience. Nginx is a great reverse proxy able to act on incoming requests to take some of the stress off your node application. But if there is some convenience in altering security configuration directly in your node app then it's up to you. |
I currently have an node express app behind an nginx load balancer.
I am curious to know what is the best practice when it comes to setting security policies such as CSP and http security headers such as HSTS? Should they be configured within my express.js application with lusca? Or is it best practice to configure them in nginx?
Does the lusca team recommend setting security in nginx or express application?
The text was updated successfully, but these errors were encountered: