Report this

What is the reason for this report?

How to fix <img src=x onerror=alert(document.domain)> in nginx security config

Posted on July 10, 2026
Ruz

By Ruz

I am having trouble with my nginx security configuration and need help troubleshooting headers. Running Ubuntu 22.04 with nginx 1.18.



This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Heya,

The thing to sort out first is that this isn’t really an nginx problem. That payload running means some user input is getting reflected into your HTML without being escaped, and that’s happening in your application code, not in the header config. No security header will fix a page that echoes raw input back into the DOM, so start by finding where that value gets rendered and make sure it’s HTML-escaped on output. That’s the actual fix.

Where nginx does help is as a second layer. A Content-Security-Policy header like default-src ‘self’ will stop inline event handlers like onerror from firing even if something slips through, and X-Content-Type-Options: nosniff plus X-Frame-Options: SAMEORIGIN are worth setting while you’re in there. Just treat CSP as a safety net behind proper escaping, not the fix itself, because a determined payload can often be shaped around a loose policy.

For a basic reverse proxy to a backend on port 3000, the core of it is a location block like this:

location / {
    proxy_pass http://127.0.0.1:3000;
    proxy_http_version 1.1;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

    proxy_connect_timeout 60s;
    proxy_send_timeout 60s;
    proxy_read_timeout 60s;
}

The four X-Forwarded/Host headers are the important part. Without them your backend sees every request as coming from 127.0.0.1 and thinks it’s on plain HTTP, which breaks anything doing redirects or logging real client IPs. If your app uses websockets, add proxy_set_header Upgrade $http_upgrade; and proxy_set_header Connection “upgrade”; in there too.

On timeouts, 60s is a sane default. Only bump proxy_read_timeout higher if you have genuinely long-running requests like large uploads or streaming responses, otherwise you just hold sockets open longer than you need to. Since you’re already on a DigitalOcean VPS, this runs fine on the smallest size for a single backend, so no need to size up for the proxy layer itself.

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Start building today

From GPU-powered inference and Kubernetes to managed databases and storage, get everything you need to build, scale, and deploy intelligent applications.