Is there a way to added some custom code to the nginx.conf file within ISPConfig as I have just tested my mail server using the website: https://www.htbridge.com/websec/ and it gives it a low core regarding the following: Code: SERVER The web server discloses its version. This may allow attackers to use known vulnerabilities and conduct further attacks against it. Misconfiguration or weakness Raw HTTP Header Server: nginx/1.10.3 STRICT-TRANSPORT-SECURITY The header was not sent by the server. Misconfiguration or weakness PUBLIC-KEY-PINS The header was not sent by the server. Misconfiguration or weakness X-FRAME-OPTIONS The header was not sent by the server. Misconfiguration or weakness X-XSS-PROTECTION The header was not sent by the server, enabling XSS exploitation if not restricted by the client's browser. Misconfiguration or weakness X-CONTENT-TYPE-OPTIONS The header was not sent by the server. Misconfiguration or weakness CONTENT-SECURITY-POLICY The header was not sent by the server. I have found some recommendation on the following site: https://gist.github.com/plentz/6737338 Just need to know if they should be entered directly into nginx.conf or admin?
I guess that's up to you. If you want to enable these settings globally, add them in nginx.conf, if you want to enable them for a specific vhost, then add them in that vhost.
if specific vhost then does it go in the nginx directive in the control panel. Why would the default settings not be as secure as recommended?
The security of the current setup is absolutely fine, there need to change something. You just asked how to apply changes to an nginx server that someone else posted on his website and I told you how you can do that. Besides that, nginx is not your mail server, it's the web server, so your questions are about web server configuration and not about mail server security as the title says.
