Configuration
| Property | |
|---|---|
| Language | generic |
| Severity |  |
| CWE | CWE-16: CWE CATEGORY: Configuration |
| OWASP | A06:2017 - Security Misconfiguration |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
Defining the ‘add_header’ directive inside a location block in Nginx after already setting headers in the server block will override those server-level headers. This means any security headers set at the server level may be unintentionally removed or changed for that location.
Impact#
Overwriting important security headers can weaken protections like HSTS, CSP, or X-Frame-Options, increasing the risk of attacks such as cross-site scripting or clickjacking. This misconfiguration may expose your application to security vulnerabilities that rely on consistent header settings.