With 13% of the overall web server market share, the high performance open source HTTP server Nginx is a rising star in the pantheon of web server heavyweights. Even the most hardcore of Microsoft aficionados are dropping IIS in favor of Nginx in Windows Server environments; for those with stringent performance/speed requirements, Nginx can't be beat. But like all web servers, the fastest growing solution on the market is not without its security shortcomings. The following are the top 10 ways to harden Nginx for Windows.
The Nginx Configuration File (nginx.conf)
Nginx's primary web server configurations reside in the nginx.conf file. This includes many of the security settings for hardening your web server instance, so it's worth getting acquainted with this file. For Windows, the nginx.conf file can be found at [Nginx Installation Directory]/conf/.
10. Disable any HTTP methods not being used.
This can be set in the "server" section of the Nginx configuration. By adding a condition to allow only GET/HEAD/POST methods, less-inocuous methods like TRACE and DELETE are met with a 444 No Response status code.
9. Use the X-Frame-Options header.
By configuring Nginx to use the X-Frame-Options header with the value "SAMEORIGIN," browsers rendering pages inside a <frame> or <iframe> will not be as easily subjected to clickjacking attacks.
8. Disable unwanted Nginx web server modules.
Doing so reduces the attack surface of your web server by restricting operations that could be exploited by attackers, including via automated hacking processes. It's best to determine which modules are to be disabled prior to installation; post-installation, changes will need to be followed by a recompiling of Nginx. Modules are disabled with the configure option during installation.
7. Turn off Nginx server_tokens to prevent data leakage.
Web server 404 pages will typically display some bits of privileged information—in Nginx's case, turning server_tokens off will prevent it from displaying the web server version being used.
6. Set buffer limitations for all clients.
Buffer overflow attacks are frequently employed by cyber criminals to compromise web servers. By setting the appropriate directives in your Nginx configuration file—namely, the client_body_buffer_size, client_header_buffer_size, client_max_body_size, large_client_header_buffers parameters—you can protect against such attacks.
5. Deny specific user-agents or bots from making requests.
This prevents spammers and webscanners from attacking your web server with superfluous requests. To do this, you'll need to write a condition to sniff out certain $http_user_agent values (e.g., Baiduspider, scrapbot) and return a 403 upon match.
4. Add cross-site scripting (XSS) protection to Nginx.
When add_header X-XSS-Protection "1; mode=block"; is included in your configuration file, Nginx will add X-XSS protection to headers to mitigate XSS and clickjacking attacks.
3. Limit the number of connections permitted per IP address.
This essentially prevents client connection leaks and could help in mitigating denial-of-service (DoS) attacks. To do this, set the appropriate values in the limit_conn_zon directive.
2. Enable TLS only and disable SSL.
All versions of SSL have been effectively deemed insecure, so TLS should be used in its place whenever possible. This can be specified in the ssl_protocols parameter (e.g., TLSv1 TLSv1.1 TLSv1.2).
1. Redirect HTTP traffic to HTTPS.
Forcing all connections to use encryption can reduce the chance of snooping and man-in-the-middle (MITM) attacks. Using the directive return 301 https://$server_name$request_uriwill set up permanent URL redirection for all requests made to port 80.
Nginx is arguably the most secure web server out-of-the-box; that said, additional hardening measures such as the 10 aforementioned can boost your website's protection against inevitable cyber attacks. And for staying on top of critical vulnerabilities and security flaws, UpGuard's digital resilience platform offers continuous security monitoring and validation necessary for surviving in today's harsh cyber threat landscape.