Bird
Raised Fist0
Nginxdevops~5 mins

Adding response headers (add_header) in Nginx - Cheat Sheet & Quick Revision

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Recall & Review
beginner
What does the add_header directive do in nginx?
It adds custom HTTP response headers to the responses sent by the nginx server to clients.
Click to reveal answer
beginner
How do you add a header named X-Frame-Options with value DENY in nginx?
Use the directive:
add_header X-Frame-Options "DENY";
Click to reveal answer
intermediate
Where in the nginx configuration file can you place the add_header directive?
You can place it inside http, server, or location blocks depending on the scope you want the header to apply.
Click to reveal answer
intermediate
What happens if you use add_header inside a location block that overrides a header set in server block?
The header set in the location block will override or add to the headers from the server block for requests matching that location.
Click to reveal answer
beginner
Why might you want to add security headers like Content-Security-Policy using add_header?
To improve security by controlling what resources the browser can load, preventing attacks like cross-site scripting (XSS).
Click to reveal answer
Which nginx directive is used to add a custom response header?
Aadd_header
Bset_header
Cheader_add
Dresponse_header
Where can the add_header directive be placed in nginx config?
AOnly inside <code>server</code> block
BOnly inside <code>http</code> block
CInside <code>http</code>, <code>server</code>, or <code>location</code> blocks
DOnly inside <code>location</code> block
What is the effect of adding add_header X-Frame-Options "DENY";?
AAllows the page to be framed by any site
BRedirects the page to another URL
CEnables caching of the page
DPrevents the page from being displayed in a frame or iframe
If you want to add a header only for a specific URL path, where should you put the add_header directive?
AInside <code>location</code> block for that path
BInside <code>server</code> block
CIn a separate config file
DInside <code>http</code> block
What must you do after changing nginx config to apply new headers?
ANothing, changes apply automatically
BRestart or reload nginx
CClear browser cache
DReinstall nginx
Explain how to add a custom HTTP response header in nginx and where you can place the directive.
Think about the scope of configuration blocks and the directive syntax.
You got /4 concepts.
    Describe why adding security headers with add_header is important and give an example.
    Consider how browsers use headers to control page behavior.
    You got /4 concepts.

      Practice

      (1/5)
      1. What is the main purpose of the add_header directive in nginx?
      easy
      A. To configure server listening ports
      B. To add extra information to HTTP responses
      C. To redirect HTTP requests to HTTPS
      D. To define server root directory

      Solution

      1. Step 1: Understand the role of add_header

        The add_header directive is used to add extra HTTP headers to responses sent by nginx.

      2. Step 2: Compare with other options

        Redirecting requests, configuring ports, and defining root directories are unrelated to adding headers.

      3. Final Answer:

        To add extra information to HTTP responses -> Option B

      4. Quick Check:

        add_header adds headers [OK]
      Hint: Remember: add_header adds info to HTTP responses [OK]
      Common Mistakes:
      • Confusing add_header with redirect directives
      • Thinking add_header sets server ports
      • Assuming add_header changes root directory
      2. Which of the following is the correct syntax to add a custom header named X-Custom-Header with value MyValue in nginx?
      easy
      A. add_header "X-Custom-Header: MyValue";
      B. add_header X-Custom-Header = MyValue;
      C. add_header X-Custom-Header MyValue;
      D. add_header X-Custom-Header => MyValue;

      Solution

      1. Step 1: Recall nginx add_header syntax

        The correct syntax is add_header name value; without extra symbols like = or =>.

      2. Step 2: Validate each option

        add_header X-Custom-Header MyValue; matches correct syntax. Options A, C, and D use invalid syntax with quotes or symbols.

      3. Final Answer:

        add_header X-Custom-Header MyValue; -> Option C

      4. Quick Check:

        Syntax is add_header name value; [OK]
      Hint: Use simple syntax: add_header name value; [OK]
      Common Mistakes:
      • Adding quotes around header name and value
      • Using = or => symbols incorrectly
      • Missing semicolon at the end
      3. Given this nginx config snippet inside a server block:
      add_header X-Test "Hello";

location /error {
  return 404;
}

      What happens when a client requests /error?
      medium
      A. The server throws a configuration error
      B. The response includes header X-Test: Hello with 404 status
      C. The response returns 200 OK with X-Test header
      D. The response returns 404 without X-Test header

      Solution

      1. Step 1: Understand default add_header behavior on errors

        By default, add_header does NOT add headers on error responses like 404.

      2. Step 2: Analyze the config and request

        The location returns 404, so X-Test header is omitted unless always is used.

      3. Final Answer:

        The response returns 404 without X-Test header -> Option D

      4. Quick Check:

        Headers not added on errors without always [OK]
      Hint: Headers need 'always' to appear on error responses [OK]
      Common Mistakes:
      • Assuming headers always appear on error responses
      • Confusing return status with header presence
      • Expecting 200 OK instead of 404
      4. You want to add a security header X-Frame-Options: DENY to all responses including errors. Which nginx config fixes this incorrect snippet?
      add_header X-Frame-Options DENY;

      But headers are missing on 404 pages.
      medium
      A. Change to add_header X-Frame-Options DENY always;
      B. Add always; on a separate line
      C. Use add_header X-Frame-Options DENY on_error;
      D. Move add_header inside error_page block

      Solution

      1. Step 1: Identify why headers are missing on errors

        By default, add_header skips error responses unless always is added.

      2. Step 2: Fix syntax to include headers on all responses

        Adding always on the same line ensures headers appear even on errors.

      3. Final Answer:

        Change to add_header X-Frame-Options DENY always; -> Option A

      4. Quick Check:

        Use 'always' on same line to add headers on errors [OK]
      Hint: Add 'always' on same line to include headers on errors [OK]
      Common Mistakes:
      • Placing 'always' on a separate line
      • Using invalid keywords like 'on_error'
      • Moving add_header inside unrelated blocks
      5. You want to add two headers: Cache-Control: no-store for all responses, and Strict-Transport-Security: max-age=31536000 only for successful responses (status 200-299). Which nginx config achieves this correctly?
      hard
      A. add_header Cache-Control no-store always; add_header Strict-Transport-Security max-age=31536000;
      B. add_header Cache-Control no-store; add_header Strict-Transport-Security max-age=31536000 always;
      C. add_header Cache-Control no-store; add_header Strict-Transport-Security max-age=31536000;
      D. add_header Cache-Control no-store always; add_header Strict-Transport-Security max-age=31536000 always;

      Solution

      1. Step 1: Understand 'always' effect on headers

        The always flag makes headers appear on all responses including errors.

      2. Step 2: Apply 'always' only to Cache-Control

        We want Cache-Control on all responses, so add always there. For Strict-Transport-Security, omit always to restrict to 2xx responses.

      3. Final Answer:

        add_header Cache-Control no-store always; add_header Strict-Transport-Security max-age=31536000; -> Option A

      4. Quick Check:

        'always' for all responses, omit for success-only [OK]
      Hint: Use 'always' only for headers needed on errors [OK]
      Common Mistakes:
      • Adding 'always' to all headers causing unwanted error headers
      • Omitting 'always' for headers needed on errors
      • Misunderstanding which responses get headers without 'always'