NGINX Security Configurations for Web Applications

As a web application owner, securing your website is crucial to protect against common attacks such as SQL injection, cross-site scripting (XSS), and directory traversal. One of the most effective ways to secure your web application is by configuring NGINX properly. In this article, we will discuss 20 essential NGINX security configurations for web applications.

Table of Contents

1. Enabling HTTP Strict Transport Security (HSTS)
2. [Disabling Server Signature] (#server-signature)
3. [Setting Secure Cookie Flags] (#secure-cookie-flags)
4. [Configuring X-Content-Type-Options] (#x-content-type-options)
5. [Protecting Against MIME Sniffing Attacks] (#mime-sniffing)
6. Enabling Content Security Policy (CSP)
7. [Setting Referrer Policy] (#referrer-policy)
8. [Configuring Custom Error Pages] (#custom-error-pages)
9. [Restricting Access to Certain Directories] (#directory-restrictions)
10. [Implementing Rate Limiting] (#rate-limiting)
11. [Protecting Against HTTP Request Smuggling Attacks] (#http-request-smuggling)
12. [Enabling SSL/TLS Version Flexibility] (#ssl-tls-version-flexibility)
13. [Configuring Secure Connections for Subdomains] (#secure-subdomains)
14. [Setting a Minimum TLS Version] (#minimum-tls-version)
15. [Protecting Against Certificate Revocation Attacks] (#certificate-revocation)
16. [Enabling OCSP Stapling] (#ocsp-stapling)
17. [Configuring Client Certificate Verification] (#client-certificate-verification)
18. [Implementing IP Blocking] (#ip-blocking)
19. [Setting a Timeout for Idle Connections] (#idle-timeout)
20. [Disabling HTTP/1.0 Upgrade Support] (#http-upgrade-support)

1. Enabling HTTP Strict Transport Security (HSTS)

HTTP Strict Transport Security (HSTS) is a security feature that helps protect users against man-in-the-middle (MITM) attacks. To enable HSTS in NGINX, add the following configuration:

nginx
add_headerStrict-Transport-Security "max-age=31536000; includeSubDomains";

This will tell browsers to only access your website over HTTPS.

2. Disabling Server Signature

Disabling server signature is crucial for security as it prevents attackers from identifying the underlying web server. To disable server signature in NGINX, add the following configuration:

nginx
server_tokens off;

This will prevent NGINX from displaying its version and other details.

3. Setting Secure Cookie Flags

Secure cookies are essential for protecting user data against interception by attackers. To set secure cookie flags in NGINX, add the following configuration:

nginx
add_headerSet-Cookie "secure";

This will tell browsers to only transmit cookies over a secure connection.

4. Configuring X-Content-Type-Options

The X-Content-Type-Options header helps protect against MIME sniffing attacks. To configure this header in NGINX, add the following configuration:

nginx
add_headerX-Content-Type-Options nosniff;

This will prevent browsers from interpreting content as a different type than specified.

5. Protecting Against MIME Sniffing Attacks

MIME sniffing attacks occur when an attacker tries to trick a browser into interpreting content as a different type. To protect against this, configure the Content-Type header in NGINX:

nginx
add_headerContent-Type "text/plain; charset=utf-8";

This will prevent browsers from MIME sniffing and ensure that content is treated as plain text.

6. Enabling Content Security Policy (CSP)

A Content Security Policy (CSP) helps protect against XSS attacks by specifying which sources of content are allowed to be executed within a web page. To enable CSP in NGINX, add the following configuration:

nginx
add_headerContent-Security-Policy "default-src 'self';";

This will specify that only content from the same origin (i.e., your website) can be executed.

7. Setting Referrer Policy

The Referrer-Policy header controls how much information about a user’s previous navigation is sent with each request. To set this policy in NGINX, add the following configuration:

nginx
add_headerReferrer-Policy no-referrer;

This will prevent browsers from sending any referrer information.

8. Configuring Custom Error Pages

Custom error pages can help protect against attacks by providing a more informative and secure response to users. To configure custom error pages in NGINX, add the following configuration:

nginx
error_page 404 /404.html;

This will serve a custom 404.html page when a requested resource is not found.

9. Restricting Access to Certain Directories

Restricting access to certain directories can help protect against directory traversal attacks. To restrict access in NGINX, add the following configuration:

nginx
location /private {
deny all;
}

This will prevent users from accessing any resources within the /private directory.

10. Implementing Rate Limiting

Rate limiting can help protect against brute-force attacks by limiting the number of requests that can be made to a resource within a given time period. To implement rate limiting in NGINX, add the following configuration:

nginx
http {
limit_req_zone $binary_remote_addr zone=myzone:10m rate=10r/s;
}

This will create a zone named myzone that limits requests from any client to 10 requests per second.

11. Protecting Against HTTP Request Smuggling Attacks

HTTP request smuggling attacks occur when an attacker tries to trick a server into interpreting multiple HTTP requests as one. To protect against this, configure the X-Ratelimit-Remaining header in NGINX:

nginx
add_headerX-Ratelimit-Remaining $ratelimit_remaining;

This will prevent browsers from MIME sniffing and ensure that content is treated as plain text.

12. Enabling SSL/TLS Version Flexibility

Enabling SSL/TLS version flexibility can help protect against protocol downgrade attacks. To enable this in NGINX, add the following configuration:

nginx
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

This will allow servers to negotiate which version of the SSL/TLS protocol to use.

13. Configuring Secure Connections for Subdomains

Configuring secure connections for subdomains can help protect against attacks by ensuring that all subdomains are accessed over a secure connection. To configure this in NGINX, add the following configuration:

nginx
server {
listen [::]:443 ssl;
server_name subdomain.example.com;
}

This will serve any resources requested to subdomain.example.com over a secure connection.

14. Setting a Minimum TLS Version

Setting a minimum TLS version can help protect against protocol downgrade attacks by ensuring that servers only negotiate the latest version of the TLS protocol. To set this in NGINX, add the following configuration:

nginx
ssl_protocols TLSv1.2 TLSv1.3;

This will ensure that all connections to your server are negotiated using at least TLS 1.2.

15. Protecting Against Certificate Revocation Attacks

Certificate revocation attacks occur when an attacker obtains a revoked certificate and uses it to impersonate a legitimate server. To protect against this, configure the OCSP stapling feature in NGINX:

nginx
ssl_stapling on;

This will ensure that servers only serve certificates that have not been revoked.

16. Enabling OCSP Stapling

OCSP stapling can help protect against certificate revocation attacks by allowing servers to obtain an OCSP response from a trusted third party and including it in the TLS handshake. To enable this feature, add the following configuration:

nginx
ssl_stapling on;

This will allow servers to serve OCSP responses with each connection.

17. Configuring Client Certificate Verification

Configuring client certificate verification can help protect against impersonation attacks by ensuring that clients present a valid and trusted certificate. To configure this in NGINX, add the following configuration:

nginx
ssl_verify_client on;

This will ensure that all clients are required to present a valid and trusted certificate before being granted access.

18. Implementing IP Blocking

Implementing IP blocking can help protect against attacks by preventing malicious clients from accessing your server. To implement this feature, add the following configuration:

nginx
http {
geoip_country /usr/share/GeoIP.dat;
set $block_ip 192.168.0.1;
}

This will block access to your server from any client with an IP address that matches 192.168.0.1.

19. Setting a Timeout for Idle Connections

Setting a timeout for idle connections can help protect against denial-of-service (DoS) attacks by ensuring that servers terminate idle connections after a certain period of time. To set this in NGINX, add the following configuration:

nginx
keepalive_timeout 5m;

This will ensure that all idle connections are terminated after 5 minutes.

20. Disabling HTTP/1.0 Upgrade Support

Disabling HTTP/1.0 upgrade support can help protect against attacks by preventing clients from upgrading to a higher version of the protocol. To disable this feature, add the following configuration:

nginx
http {
noupgrade on;
}

This will prevent all clients from upgrading their protocol.

By implementing these configurations, you can help protect your server against various types of attacks and ensure that it remains secure and stable over time.

About the Author

Paul

Administrator

Visit Website View All Posts