UpGuard technical articles

10 Tips For Securing Your Nginx Deployment

Written by UpGuard | Nov 24, 2015 6:16:30 AM

According to Web3Techs, Nginx is the second most popular web server platform behind Apache, which is quite a feat considering the latter’s longstanding footprint in this arena. That said, more high performance websites are using Nginx over Apache for content and application delivery services, and its adoption rate has been steadily increasing over the years for good reason: it’s fast (blazingly so), lightweight, and available on all major OS platforms. The following are 10 important tips for hardening your Nginx deployment against the threat of cyber attacks.

1. Disable unused Nginx modules.

Like most web server platforms, Nginx is installed with a host of modules—many of which are unnecessary, and therefore should be disabled to minimize the risk of potential attacks. This can be accomplished with the configure option during installation.

2. Disable the display of Nginx version number.

By default, the server_tokens directive is set to display Nginx’s version number on all automatically generated error pages (e.g, 404 pages). This should be disabled by setting server_tokens off.

3. Set client buffer size limitations.

This helps to prevent buffer overflow attacks from occurring by setting buffer size limitations for clients. Modifications to Nginx configuration file directives like

client_body_buffer_size, client_header_buffer_size, client_max_body_size, and large_client_header_buffers can help to this end.

4. Disable unnecessary HTTP methods.

Typically, GET, HEAD, and POST methods are required for web operations, while others such as DELETE and TRACE are unnecessary. The necessary conditions should be added to the ‘server’ section in the Nginx configuration file to block other methods from being expoited

5. Disable TRACE and TRACK.

The TRACE and TRACK HTTP methods are used for debugging connections, but can be exploited to intercept visitors’ sensitive data. Disabling these two methods can effectively prevent this from occurring.

6. Install the ModSecurity module.

As its name implies, the ModSecurity module enables better security within Nginx—essentially serving as a web application firewall. It’s therefore highly recommended to install the mod_security module in order to bolster Nginx’s native security.

7. Configure Nginx to include an X-Frame-Options header.

Adding the parameter add_header X-Frame-Options "SAMEORIGIN" to the server section of your Nginx configuration prevents clickjacking attacks by allowing/disallowing the browser to render iframes. Specifically, it will render a document in a frame/iframe only if the frame and parent share the same origin

8. Disable older SSL protocols in the Nginx configuration.

By default, Nginx installs with several older SSL protocols exposed, which could lead to a BEAST (Browser Exploit Against SSL/TLS) attack. Older protocols should therefore be disabled for a better security posture. This can be accomplished by defining the Nginx protocols/ciphers in your webserver setting to only accept the newer, more secure protocols.

9. Modify Nginx web server configuration/SSL for X-XSS protection.

This helps to prevent cross-site scripting exploits by forcing the injection of HTTP  headers with X-XSS protection. To accomplish this, you must add add_header X-XSS-Protection "1; mode=block"; to your default.conf or ssl.conf file.

10. Stay on top of Nginx updates

Validating that software in your environment is properly updated and patched should be an continuous, automated affair, and arguable—no where is this more critical than in your web infrastructure. In Nginx’s case, this means keeping abreast of security advisories and updates on an ongoing basis.

UpGuard can continuously monitor your Nginx web servers for late breaking vulnerabilities, security gaps, and misconfigurations that could lead to data breaches. Additionally, the platform’s policy-driven validation engine can ensure that the above 10 hardening tips and more have been implemented across your entire environment. Give it a test drive today—it’s free for up to 10 servers.