Performance Optimization
This is basically done by minimizing the amount of data transfered one way or another.
Downsizing favicon
This is the simplest.
I simply used ImageMagick to convert the format by running:
convert favicon.ico favicon.pngThen I replaced the old favicon with
mv favicon.png favicon.icoFrom 162K of ICO to 6.2K of PNG. Quite a save!
Compression
On the system-wide nginx.conf, I added under http { ... }:
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;I was supposed to also add gzip on; as well, but it's already there.
On the side specific, I added under server { ... }:
gzip_static on;Cache Policy
I simply added under the location / { ... } of the site config:
add_header Cache-Control "max-age=31536000";This basically tells the browser to retain stuff for up to a year.
Security
Basically prevents bad folks from abusing stuff on this site. Honestly speaking, there's not much to do here, but it does makes a good practice.
Encryption
On the system-wide nginx.conf, I simply ensured that there's this line under http { ... }:
ssl_protocols TLSv1.2 TLSv1.3;There was actually a line with ssl_protocols directive, but it had some older insecure TLS versions as well, so I simply took them out from the line.
HTTP Security Headers
Within the server { ... } of the site-specific config, I simply added these under location ~ \.php$ { ... } scope:
add_header Strict-Transport-Security "preload; max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "sameorigin";
add_header Cross-Origin-Opener-Policy "same-origin";These are actually quite standard so I'm not going thru them in detail. The first one is called the HTTP Strict Transport Security header. The other two is for Cross Origin Resource Sharing.
I tried adding Content-Security-Policy, but it got kinda complicated, especially with the script-src part, where I actually do have inline scripts.
Adding 'unsafe-inline' practically renders the whole thing useless, and adding nonce or hash is too much trouble for its worth, and all I got here is my blog, where I'm the only one with write access to the content.
Miscelaneous
I also added this on the system-wide http { ... }:
server_tokens off;This hides the nginx version that's running, which I guess could obscure what kind of vulnerablities can be exploited. In my opinion, it's kinda useless, especially that I'm keeping my stuff up-to-date.
Final Result
As such, my nginx.conf has:
. . . .
http {
. . . .
server_tokens off;
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_protocols TLSv1.2 TLSv1.3;
. . . .
gzip on;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
. . . .
}My site config has:
server {
. . . .
gzip_static on;
. . . .
location / {
try_files $uri $uri/ /index.php?$query_string;
add_header Cache-Control "max-age=31536000";
}
. . . .
location ~ \.php$ {
. . . .
add_header Strict-Transport-Security "preload; max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "sameorigin";
add_header Cross-Origin-Opener-Policy "same-origin";
add_header Content-Security-Policy "default-src 'self'; img-src 'self' i.creativecommons.org licensebuttons.net; style-src 'self' 'unsafe-inline' fonts.googleapis.com; font-src 'self' fonts.gstatic.com; script-src 'self' 'unsafe-inline'; ";
}
. . . .
}
