Performance Considerations

While security headers add minimal overhead, optimize their implementation:

# Use map for efficient CORS handling
map $http_origin $cors_origin {
    default "";
    ~^https://(www\.)?example\.com$ $http_origin;
}

# Conditional header setting
map $uri $cache_control {
    default "no-cache, no-store, must-revalidate";
    ~*\.(jpg|jpeg|png|gif|ico|css|js)$ "public, max-age=31536000";
}

add_header Cache-Control $cache_control always;

Security headers provide crucial protection against common web vulnerabilities. Regular review and updates ensure they remain effective as your application evolves. The next chapter will explore firewall configuration and fail2ban integration to add network-level security to your web server.## Firewall Rules and Fail2ban Integration

A properly configured firewall combined with intrusion prevention tools like Fail2ban creates a robust defense against network-based attacks on your web server. This chapter provides comprehensive guidance on implementing firewall rules for Apache and Nginx servers, integrating Fail2ban to automatically block malicious actors, and creating a layered security approach that protects against common threats like brute force attacks, DDoS attempts, and port scanning. We'll cover both UFW and iptables configurations, along with advanced Fail2ban filters tailored for web servers.