NGINX Secure Deployment & Hardening Guide — CIS Benchmarks
Intro
NGINX is a free, open-source, high-performance web server, reverse proxy, load balancer, and HTTP cache. It is renowned for its ability to handle thousands of concurrent connections with low memory usage. It acts as a security front-end for web applications, often used to manage SSL/TLS termination and traffic routing
Key Features and Functions:
- Web Server: Efficiently serves static content and handles high-traffic websites.
- Reverse Proxy: Intercepts requests and forwards them to backend servers (e.g., node, python, PHP), providing flexibility and security.
- Load Balancer: Distributes incoming traffic across multiple backend servers to improve performance and reliability.
- Caching: Caches content to reduce latency and server load.
- Security: Acts as a shield, handling encrypted communications and hiding backend server details.
Hardening Guide
Because NGINX often sits at the edge of the environment, it becomes a primary attack surface. Misconfigurations in NGINX regularly lead to:
- Data exposure
- Authentication bypass
- TLS downgrade attacks
- Host compromise via web exploitation
This guide provides a practical, infrastructure‑focused hardening reference based on CIS Benchmarks. It explains not only what to configure, but why each control matters, common mistakes, and operational caveats.
1.1.1 — Ensure NGINX is installed (Manual)
Section: Initial Setup / Installation
Severity: Medium
Automation: Manual
· Description:
1.1.1 Ensure NGINX is installed (Manual)
· Security Rationale:
This control reduces attack surface, prevents common exploitation paths, and limits the blast radius of compromise. NGINX frequently operates as an Internet-facing service, making weak defaults especially dangerous.
· Common Misconfigurations:
- Leaving default settings unchanged
- Running with excessive privileges
- Exposing unnecessary modules or listeners
- Weak cryptographic settings
· Recommended Implementation:
Apply this control during initial deployment and enforce continuously through configuration management, regular audits, and automated validation tools such as Wazuh SCA modules or custom scripts.
1.2.1 — Ensure package manager repositories are properly configured (Manual)
Section: Initial Setup / Configure Software Updates
Severity: Medium
Automation: Manual
· Description:
1.2.1 Ensure package manager repositories are properly configured (Manual)
· Security Rationale:
This control reduces attack surface, prevents common exploitation paths, and limits the blast radius of compromise. NGINX frequently operates as an Internet-facing service, making weak defaults especially dangerous.
· Common Misconfigurations:
- Leaving default settings unchanged
- Running with excessive privileges
- Exposing unnecessary modules or listeners
- Weak cryptographic settings
· Recommended Implementation:
Apply this control during initial deployment and enforce continuously through configuration management, regular audits, and automated validation tools such as Wazuh SCA modules or custom scripts.
1.2.2 — Ensure the latest software package is installed (Manual)
Section: Initial Setup / Configure Software Updates
Severity: Medium
Automation: Manual
· Description:
1.2.2 Ensure the latest software package is installed (Manual)
· Security Rationale:
This control reduces attack surface, prevents common exploitation paths, and limits the blast radius of compromise. NGINX frequently operates as an Internet-facing service, making weak defaults especially dangerous.
· Common Misconfigurations:
- Leaving default settings unchanged
- Running with excessive privileges
- Exposing unnecessary modules or listeners
- Weak cryptographic settings
· Recommended Implementation:
Apply this control during initial deployment and enforce continuously through configuration management, regular audits, and automated validation tools such as Wazuh SCA modules or custom scripts.
2.1.1 — Ensure only required dynamic modules are loaded (Manual)
Section: Basic Configuration / Minimize NGINX Modules
Severity: High
Automation: Manual
· Description:
2.1.1 Ensure only required dynamic modules are loaded (Manual)
· Security Rationale:
This control reduces attack surface, prevents common exploitation paths, and limits the blast radius of compromise. NGINX frequently operates as an Internet-facing service, making weak defaults especially dangerous.
· Common Misconfigurations:
- Leaving default settings unchanged
- Running with excessive privileges
- Exposing unnecessary modules or listeners
- Weak cryptographic settings
· Recommended Implementation:
Apply this control during initial deployment and enforce continuously through configuration management, regular audits, and automated validation tools such as Wazuh SCA modules or custom scripts.
2.2.1 — Ensure that NGINX is run using a non-privileged, dedicated service account (Manual)
Section: Basic Configuration / Account Security
Severity: Critical
Automation: Manual
· Description:
2.2.1 Ensure that NGINX is run using a non-privileged, dedicated service account (Manual)
· Security Rationale:
This control reduces attack surface, prevents common exploitation paths, and limits the blast radius of compromise. NGINX frequently operates as an Internet-facing service, making weak defaults especially dangerous.
· Common Misconfigurations:
- Leaving default settings unchanged
- Running with excessive privileges
- Exposing unnecessary modules or listeners
- Weak cryptographic settings
· Recommended Implementation:
Apply this control during initial deployment and enforce continuously through configuration management, regular audits, and automated validation tools such as Wazuh SCA modules or custom scripts.
2.2.2 — Ensure the NGINX service account is locked (Manual)
Section: Basic Configuration / Account Security
Severity: Medium
Automation: Manual
· Description:
2.2.2 Ensure the NGINX service account is locked (Manual)
· Security Rationale:
This control reduces attack surface, prevents common exploitation paths, and limits the blast radius of compromise. NGINX frequently operates as an Internet-facing service, making weak defaults especially dangerous.
· Common Misconfigurations:
- Leaving default settings unchanged
- Running with excessive privileges
- Exposing unnecessary modules or listeners
- Weak cryptographic settings
· Recommended Implementation:
Apply this control during initial deployment and enforce continuously through configuration management, regular audits, and automated validation tools such as Wazuh SCA modules or custom scripts.
2.2.3 — Ensure the NGINX service account has an invalid shell (Manual)
Section: Basic Configuration / Account Security
Severity: Medium
Automation: Manual
· Description:
2.2.3 Ensure the NGINX service account has an invalid shell (Manual)
· Security Rationale:
This control reduces attack surface, prevents common exploitation paths, and limits the blast radius of compromise. NGINX frequently operates as an Internet-facing service, making weak defaults especially dangerous.
· Common Misconfigurations:
- Leaving default settings unchanged
- Running with excessive privileges
- Exposing unnecessary modules or listeners
- Weak cryptographic settings
· Recommended Implementation:
Apply this control during initial deployment and enforce continuously through configuration management, regular audits, and automated validation tools such as Wazuh SCA modules or custom scripts.
2.3.1 — Ensure NGINX directories and files are owned by root (Manual)
Section: Basic Configuration / Permissions and Ownership
Severity: Medium
Automation: Manual
· Description:
2.3.1 Ensure NGINX directories and files are owned by root (Manual)
· Security Rationale:
This control reduces attack surface, prevents common exploitation paths, and limits the blast radius of compromise. NGINX frequently operates as an Internet-facing service, making weak defaults especially dangerous.
· Common Misconfigurations:
- Leaving default settings unchanged
- Running with excessive privileges
- Exposing unnecessary modules or listeners
- Weak cryptographic settings
· Recommended Implementation:
Apply this control during initial deployment and enforce continuously through configuration management, regular audits, and automated validation tools such as Wazuh SCA modules or custom scripts.
2.3.2 — Ensure access to NGINX directories and files is restricted (Manual)
Section: Basic Configuration / Permissions and Ownership
Severity: Medium
Automation: Manual
· Description:
2.3.2 Ensure access to NGINX directories and files is restricted (Manual)
· Security Rationale:
This control reduces attack surface, prevents common exploitation paths, and limits the blast radius of compromise. NGINX frequently operates as an Internet-facing service, making weak defaults especially dangerous.
· Common Misconfigurations:
- Leaving default settings unchanged
- Running with excessive privileges
- Exposing unnecessary modules or listeners
- Weak cryptographic settings
· Recommended Implementation:
Apply this control during initial deployment and enforce continuously through configuration management, regular audits, and automated validation tools such as Wazuh SCA modules or custom scripts.
2.3.3 — Ensure the NGINX process ID (PID) file is secured (Manual)
Section: Basic Configuration / Permissions and Ownership
Severity: Medium
Automation: Manual
· Description:
2.3.3 Ensure the NGINX process ID (PID) file is secured (Manual)
· Security Rationale:
This control reduces attack surface, prevents common exploitation paths, and limits the blast radius of compromise. NGINX frequently operates as an Internet-facing service, making weak defaults especially dangerous.
· Common Misconfigurations:
- Leaving default settings unchanged
- Running with excessive privileges
- Exposing unnecessary modules or listeners
- Weak cryptographic settings
· Recommended Implementation:
Apply this control during initial deployment and enforce continuously through configuration management, regular audits, and automated validation tools such as Wazuh SCA modules or custom scripts.
2.4.1 — Ensure NGINX only listens for network connections on authorized ports (Manual)
Section: Basic Configuration / Network Configuration
Severity: Medium
Automation: Manual
· Description:
2.4.1 Ensure NGINX only listens for network connections on authorized ports (Manual)
· Security Rationale:
This control reduces attack surface, prevents common exploitation paths, and limits the blast radius of compromise. NGINX frequently operates as an Internet-facing service, making weak defaults especially dangerous.
· Common Misconfigurations:
- Leaving default settings unchanged
- Running with excessive privileges
- Exposing unnecessary modules or listeners
- Weak cryptographic settings
· Recommended Implementation:
Apply this control during initial deployment and enforce continuously through configuration management, regular audits, and automated validation tools such as Wazuh SCA modules or custom scripts.
2.4.2 — Ensure requests for unknown host names are rejected (Manual)
Section: Basic Configuration / Network Configuration
Severity: Medium
Automation: Manual
· Description:
2.4.2 Ensure requests for unknown host names are rejected (Manual)
· Security Rationale:
This control reduces attack surface, prevents common exploitation paths, and limits the blast radius of compromise. NGINX frequently operates as an Internet-facing service, making weak defaults especially dangerous.
· Common Misconfigurations:
- Leaving default settings unchanged
- Running with excessive privileges
- Exposing unnecessary modules or listeners
- Weak cryptographic settings
· Recommended Implementation:
Apply this control during initial deployment and enforce continuously through configuration management, regular audits, and automated validation tools such as Wazuh SCA modules or custom scripts.
2.4.3 — Ensure keepalive_timeout is 10 seconds or less, but not 0 (Manual)
Section: Basic Configuration / Network Configuration
Severity: Medium
Automation: Manual
· Description:
2.4.3 Ensure keepalive_timeout is 10 seconds or less, but not 0 (Manual)
· Security Rationale:
This control reduces attack surface, prevents common exploitation paths, and limits the blast radius of compromise. NGINX frequently operates as an Internet-facing service, making weak defaults especially dangerous.
· Common Misconfigurations:
- Leaving default settings unchanged
- Running with excessive privileges
- Exposing unnecessary modules or listeners
- Weak cryptographic settings
· Recommended Implementation:
Apply this control during initial deployment and enforce continuously through configuration management, regular audits, and automated validation tools such as Wazuh SCA modules or custom scripts.
2.4.4 — Ensure send_timeout is set to 10 seconds or less, but not 0 (Manual)
Section: Basic Configuration / Network Configuration
Severity: Medium
Automation: Manual
· Description:
2.4.4 Ensure send_timeout is set to 10 seconds or less, but not 0 (Manual)
· Security Rationale:
This control reduces attack surface, prevents common exploitation paths, and limits the blast radius of compromise. NGINX frequently operates as an Internet-facing service, making weak defaults especially dangerous.
· Common Misconfigurations:
- Leaving default settings unchanged
- Running with excessive privileges
- Exposing unnecessary modules or listeners
- Weak cryptographic settings
· Recommended Implementation:
Apply this control during initial deployment and enforce continuously through configuration management, regular audits, and automated validation tools such as Wazuh SCA modules or custom scripts.
2.5.1 — Ensure server_tokens directive is set to `off` (Manual)
Section: Basic Configuration / Information Disclosure
Severity: Medium
Automation: Manual
· Description:
2.5.1 Ensure server_tokens directive is set to `off` (Manual)
· Security Rationale:
This control reduces attack surface, prevents common exploitation paths, and limits the blast radius of compromise. NGINX frequently operates as an Internet-facing service, making weak defaults especially dangerous.
· Common Misconfigurations:
- Leaving default settings unchanged
- Running with excessive privileges
- Exposing unnecessary modules or listeners
- Weak cryptographic settings
· Recommended Implementation:
Apply this control during initial deployment and enforce continuously through configuration management, regular audits, and automated validation tools such as Wazuh SCA modules or custom scripts.
2.5.2 — Ensure default error and index.html pages do not reference NGINX (Manual)
Section: Basic Configuration / Information Disclosure
Severity: Medium
Automation: Manual
· Description:
2.5.2 Ensure default error and index.html pages do not reference NGINX (Manual)
· Security Rationale:
This control reduces attack surface, prevents common exploitation paths, and limits the blast radius of compromise. NGINX frequently operates as an Internet-facing service, making weak defaults especially dangerous.
· Common Misconfigurations:
- Leaving default settings unchanged
- Running with excessive privileges
- Exposing unnecessary modules or listeners
- Weak cryptographic settings
· Recommended Implementation:
Apply this control during initial deployment and enforce continuously through configuration management, regular audits, and automated validation tools such as Wazuh SCA modules or custom scripts.
2.5.3 — Ensure hidden file serving is disabled (Manual)
Section: Basic Configuration / Information Disclosure
Severity: Medium
Automation: Manual
· Description:
2.5.3 Ensure hidden file serving is disabled (Manual)
· Security Rationale:
This control reduces attack surface, prevents common exploitation paths, and limits the blast radius of compromise. NGINX frequently operates as an Internet-facing service, making weak defaults especially dangerous.
· Common Misconfigurations:
- Leaving default settings unchanged
- Running with excessive privileges
- Exposing unnecessary modules or listeners
- Weak cryptographic settings
· Recommended Implementation:
Apply this control during initial deployment and enforce continuously through configuration management, regular audits, and automated validation tools such as Wazuh SCA modules or custom scripts.
2.5.4 — Ensure the NGINX reverse proxy does not enable information disclosure (Manual)
Section: Basic Configuration / Information Disclosure
Severity: Medium
Automation: Manual
· Description:
2.5.4 Ensure the NGINX reverse proxy does not enable information disclosure (Manual)
· Security Rationale:
This control reduces attack surface, prevents common exploitation paths, and limits the blast radius of compromise. NGINX frequently operates as an Internet-facing service, making weak defaults especially dangerous.
· Common Misconfigurations:
- Leaving default settings unchanged
- Running with excessive privileges
- Exposing unnecessary modules or listeners
- Weak cryptographic settings
· Recommended Implementation:
Apply this control during initial deployment and enforce continuously through configuration management, regular audits, and automated validation tools such as Wazuh SCA modules or custom scripts.
3.1 — Ensure detailed logging is enabled (Manual)
Section: Logging / Logging
Severity: High
Automation: Manual
· Description:
3.1 Ensure detailed logging is enabled (Manual)
· Security Rationale:
This control reduces attack surface, prevents common exploitation paths, and limits the blast radius of compromise. NGINX frequently operates as an Internet-facing service, making weak defaults especially dangerous.
· Common Misconfigurations:
- Leaving default settings unchanged
- Running with excessive privileges
- Exposing unnecessary modules or listeners
- Weak cryptographic settings
· Recommended Implementation:
Apply this control during initial deployment and enforce continuously through configuration management, regular audits, and automated validation tools such as Wazuh SCA modules or custom scripts.
3.2 — Ensure access logging is enabled (Manual)
Section: Logging / Logging
Severity: High
Automation: Manual
· Description:
3.2 Ensure access logging is enabled (Manual)
· Security Rationale:
This control reduces attack surface, prevents common exploitation paths, and limits the blast radius of compromise. NGINX frequently operates as an Internet-facing service, making weak defaults especially dangerous.
· Common Misconfigurations:
- Leaving default settings unchanged
- Running with excessive privileges
- Exposing unnecessary modules or listeners
- Weak cryptographic settings
· Recommended Implementation:
Apply this control during initial deployment and enforce continuously through configuration management, regular audits, and automated validation tools such as Wazuh SCA modules or custom scripts.
3.3 — Ensure error logging is enabled and set to the info logging level (Manual)
Section: Logging / Logging
Severity: High
Automation: Manual
· Description:
3.3 Ensure error logging is enabled and set to the info logging level (Manual)
· Security Rationale:
This control reduces attack surface, prevents common exploitation paths, and limits the blast radius of compromise. NGINX frequently operates as an Internet-facing service, making weak defaults especially dangerous.
· Common Misconfigurations:
- Leaving default settings unchanged
- Running with excessive privileges
- Exposing unnecessary modules or listeners
- Weak cryptographic settings
· Recommended Implementation:
Apply this control during initial deployment and enforce continuously through configuration management, regular audits, and automated validation tools such as Wazuh SCA modules or custom scripts.
3.4 — Ensure proxies pass source IP information (Manual)
Section: Logging / Logging
Severity: Medium
Automation: Manual
· Description:
3.4 Ensure proxies pass source IP information (Manual)
· Security Rationale:
This control reduces attack surface, prevents common exploitation paths, and limits the blast radius of compromise. NGINX frequently operates as an Internet-facing service, making weak defaults especially dangerous.
· Common Misconfigurations:
- Leaving default settings unchanged
- Running with excessive privileges
- Exposing unnecessary modules or listeners
- Weak cryptographic settings
· Recommended Implementation:
Apply this control during initial deployment and enforce continuously through configuration management, regular audits, and automated validation tools such as Wazuh SCA modules or custom scripts.
4.1.1 — Ensure HTTP is redirected to HTTPS (Manual)
Section: Encryption / TLS / SSL Configuration
Severity: Medium
Automation: Manual
· Description:
4.1.1 Ensure HTTP is redirected to HTTPS (Manual)
· Security Rationale:
This control reduces attack surface, prevents common exploitation paths, and limits the blast radius of compromise. NGINX frequently operates as an Internet-facing service, making weak defaults especially dangerous.
· Common Misconfigurations:
- Leaving default settings unchanged
- Running with excessive privileges
- Exposing unnecessary modules or listeners
- Weak cryptographic settings
· Recommended Implementation:
Apply this control during initial deployment and enforce continuously through configuration management, regular audits, and automated validation tools such as Wazuh SCA modules or custom scripts.
4.1.2 — Ensure a trusted certificate and trust chain is installed (Manual)
Section: Encryption / TLS / SSL Configuration
Severity: Medium
Automation: Manual
· Description:
4.1.2 Ensure a trusted certificate and trust chain is installed (Manual)
· Security Rationale:
This control reduces attack surface, prevents common exploitation paths, and limits the blast radius of compromise. NGINX frequently operates as an Internet-facing service, making weak defaults especially dangerous.
· Common Misconfigurations:
- Leaving default settings unchanged
- Running with excessive privileges
- Exposing unnecessary modules or listeners
- Weak cryptographic settings
· Recommended Implementation:
Apply this control during initial deployment and enforce continuously through configuration management, regular audits, and automated validation tools such as Wazuh SCA modules or custom scripts.
4.1.3 — Ensure private key permissions are restricted (Manual)
Section: Encryption / TLS / SSL Configuration
Severity: High
Automation: Manual
· Description:
4.1.3 Ensure private key permissions are restricted (Manual)
· Security Rationale:
This control reduces attack surface, prevents common exploitation paths, and limits the blast radius of compromise. NGINX frequently operates as an Internet-facing service, making weak defaults especially dangerous.
· Common Misconfigurations:
- Leaving default settings unchanged
- Running with excessive privileges
- Exposing unnecessary modules or listeners
- Weak cryptographic settings
· Recommended Implementation:
Apply this control during initial deployment and enforce continuously through configuration management, regular audits, and automated validation tools such as Wazuh SCA modules or custom scripts.
4.1.4 — Ensure only modern TLS protocols are used (Manual)
Section: Encryption / TLS / SSL Configuration
Severity: Critical
Automation: Manual
· Description:
4.1.4 Ensure only modern TLS protocols are used (Manual)
· Security Rationale:
This control reduces attack surface, prevents common exploitation paths, and limits the blast radius of compromise. NGINX frequently operates as an Internet-facing service, making weak defaults especially dangerous.
· Common Misconfigurations:
- Leaving default settings unchanged
- Running with excessive privileges
- Exposing unnecessary modules or listeners
- Weak cryptographic settings
· Recommended Implementation:
Apply this control during initial deployment and enforce continuously through configuration management, regular audits, and automated validation tools such as Wazuh SCA modules or custom scripts.
4.1.5 — Disable weak ciphers (Manual)
Section: Encryption / TLS / SSL Configuration
Severity: Critical
Automation: Manual
· Description:
4.1.5 Disable weak ciphers (Manual)
· Security Rationale:
This control reduces attack surface, prevents common exploitation paths, and limits the blast radius of compromise. NGINX frequently operates as an Internet-facing service, making weak defaults especially dangerous.
· Common Misconfigurations:
- Leaving default settings unchanged
- Running with excessive privileges
- Exposing unnecessary modules or listeners
- Weak cryptographic settings
· Recommended Implementation:
Apply this control during initial deployment and enforce continuously through configuration management, regular audits, and automated validation tools such as Wazuh SCA modules or custom scripts.
4.1.6 — Ensure awareness of TLS 1.3 new Diffie-Hellman parameters (Manual)
Section: Encryption / TLS / SSL Configuration
Severity: Critical
Automation: Manual
· Description:
4.1.6 Ensure awareness of TLS 1.3 new Diffie-Hellman parameters (Manual)
· Security Rationale:
This control reduces attack surface, prevents common exploitation paths, and limits the blast radius of compromise. NGINX frequently operates as an Internet-facing service, making weak defaults especially dangerous.
· Common Misconfigurations:
- Leaving default settings unchanged
- Running with excessive privileges
- Exposing unnecessary modules or listeners
- Weak cryptographic settings
· Recommended Implementation:
Apply this control during initial deployment and enforce continuously through configuration management, regular audits, and automated validation tools such as Wazuh SCA modules or custom scripts.
4.1.7 — Ensure Online Certificate Status Protocol (OCSP) stapling is enabled (Manual)
Section: Encryption / TLS / SSL Configuration
Severity: Medium
Automation: Manual
· Description:
4.1.7 Ensure Online Certificate Status Protocol (OCSP) stapling is enabled (Manual)
· Security Rationale:
This control reduces attack surface, prevents common exploitation paths, and limits the blast radius of compromise. NGINX frequently operates as an Internet-facing service, making weak defaults especially dangerous.
· Common Misconfigurations:
- Leaving default settings unchanged
- Running with excessive privileges
- Exposing unnecessary modules or listeners
- Weak cryptographic settings
· Recommended Implementation:
Apply this control during initial deployment and enforce continuously through configuration management, regular audits, and automated validation tools such as Wazuh SCA modules or custom scripts.
4.1.8 — Ensure HTTP Strict Transport Security (HSTS) is enabled (Manual)
Section: Encryption / TLS / SSL Configuration
Severity: Medium
Automation: Manual
· Description:
4.1.8 Ensure HTTP Strict Transport Security (HSTS) is enabled (Manual)
· Security Rationale:
This control reduces attack surface, prevents common exploitation paths, and limits the blast radius of compromise. NGINX frequently operates as an Internet-facing service, making weak defaults especially dangerous.
· Common Misconfigurations:
- Leaving default settings unchanged
- Running with excessive privileges
- Exposing unnecessary modules or listeners
- Weak cryptographic settings
· Recommended Implementation:
Apply this control during initial deployment and enforce continuously through configuration management, regular audits, and automated validation tools such as Wazuh SCA modules or custom scripts.
4.1.9 — Ensure upstream server traffic is authenticated with a client certificate (Manual)
Section: Encryption / TLS / SSL Configuration
Severity: Medium
Automation: Manual
· Description:
4.1.9 Ensure upstream server traffic is authenticated with a client certificate (Manual)
· Security Rationale:
This control reduces attack surface, prevents common exploitation paths, and limits the blast radius of compromise. NGINX frequently operates as an Internet-facing service, making weak defaults especially dangerous.
· Common Misconfigurations:
- Leaving default settings unchanged
- Running with excessive privileges
- Exposing unnecessary modules or listeners
- Weak cryptographic settings
· Recommended Implementation:
Apply this control during initial deployment and enforce continuously through configuration management, regular audits, and automated validation tools such as Wazuh SCA modules or custom scripts.
4.1.10 — Ensure the upstream traffic server certificate is trusted (Manual)
Section: Encryption / TLS / SSL Configuration
Severity: Medium
Automation: Manual
· Description:
4.1.10 Ensure the upstream traffic server certificate is trusted (Manual)
· Security Rationale:
This control reduces attack surface, prevents common exploitation paths, and limits the blast radius of compromise. NGINX frequently operates as an Internet-facing service, making weak defaults especially dangerous.
· Common Misconfigurations:
- Leaving default settings unchanged
- Running with excessive privileges
- Exposing unnecessary modules or listeners
- Weak cryptographic settings
· Recommended Implementation:
Apply this control during initial deployment and enforce continuously through configuration management, regular audits, and automated validation tools such as Wazuh SCA modules or custom scripts.
4.1.11 — Ensure Secure Session Resumption is Enabled (Manual)
Section: Encryption / TLS / SSL Configuration
Severity: Medium
Automation: Manual
· Description:
4.1.11 Ensure Secure Session Resumption is Enabled (Manual)
· Security Rationale:
This control reduces attack surface, prevents common exploitation paths, and limits the blast radius of compromise. NGINX frequently operates as an Internet-facing service, making weak defaults especially dangerous.
· Common Misconfigurations:
- Leaving default settings unchanged
- Running with excessive privileges
- Exposing unnecessary modules or listeners
- Weak cryptographic settings
· Recommended Implementation:
Apply this control during initial deployment and enforce continuously through configuration management, regular audits, and automated validation tools such as Wazuh SCA modules or custom scripts.
4.1.12 — Ensure HTTP/3.0 is used (Manual)
Section: Encryption / TLS / SSL Configuration
Severity: Medium
Automation: Manual
· Description:
4.1.12 Ensure HTTP/3.0 is used (Manual)
· Security Rationale:
This control reduces attack surface, prevents common exploitation paths, and limits the blast radius of compromise. NGINX frequently operates as an Internet-facing service, making weak defaults especially dangerous.
· Common Misconfigurations:
- Leaving default settings unchanged
- Running with excessive privileges
- Exposing unnecessary modules or listeners
- Weak cryptographic settings
· Recommended Implementation:
Apply this control during initial deployment and enforce continuously through configuration management, regular audits, and automated validation tools such as Wazuh SCA modules or custom scripts.
5.1.1 — Ensure allow and deny filters limit access to specific IP addresses (Manual)
Section: Request Filtering and Restrictions / Access Control
Severity: Medium
Automation: Manual
· Description:
5.1.1 Ensure allow and deny filters limit access to specific IP addresses (Manual)
· Security Rationale:
This control reduces attack surface, prevents common exploitation paths, and limits the blast radius of compromise. NGINX frequently operates as an Internet-facing service, making weak defaults especially dangerous.
· Common Misconfigurations:
- Leaving default settings unchanged
- Running with excessive privileges
- Exposing unnecessary modules or listeners
- Weak cryptographic settings
· Recommended Implementation:
Apply this control during initial deployment and enforce continuously through configuration management, regular audits, and automated validation tools such as Wazuh SCA modules or custom scripts.
5.1.2 — Ensure only approved HTTP methods are allowed (Manual)
Section: Request Filtering and Restrictions / Access Control
Severity: Medium
Automation: Manual
· Description:
5.1.2 Ensure only approved HTTP methods are allowed (Manual)
· Security Rationale:
This control reduces attack surface, prevents common exploitation paths, and limits the blast radius of compromise. NGINX frequently operates as an Internet-facing service, making weak defaults especially dangerous.
· Common Misconfigurations:
- Leaving default settings unchanged
- Running with excessive privileges
- Exposing unnecessary modules or listeners
- Weak cryptographic settings
· Recommended Implementation:
Apply this control during initial deployment and enforce continuously through configuration management, regular audits, and automated validation tools such as Wazuh SCA modules or custom scripts.
5.2.1 — Ensure timeout values for reading the client header and body are set correctly (Manual)
Section: Request Filtering and Restrictions / Request Limits
Severity: Medium
Automation: Manual
· Description:
5.2.1 Ensure timeout values for reading the client header and body are set correctly (Manual)
· Security Rationale:
This control reduces attack surface, prevents common exploitation paths, and limits the blast radius of compromise. NGINX frequently operates as an Internet-facing service, making weak defaults especially dangerous.
· Common Misconfigurations:
- Leaving default settings unchanged
- Running with excessive privileges
- Exposing unnecessary modules or listeners
- Weak cryptographic settings
· Recommended Implementation:
Apply this control during initial deployment and enforce continuously through configuration management, regular audits, and automated validation tools such as Wazuh SCA modules or custom scripts.
5.2.2 — Ensure the maximum request body size is set correctly (Manual)
Section: Request Filtering and Restrictions / Request Limits
Severity: Medium
Automation: Manual
· Description:
5.2.2 Ensure the maximum request body size is set correctly (Manual)
· Security Rationale:
This control reduces attack surface, prevents common exploitation paths, and limits the blast radius of compromise. NGINX frequently operates as an Internet-facing service, making weak defaults especially dangerous.
· Common Misconfigurations:
- Leaving default settings unchanged
- Running with excessive privileges
- Exposing unnecessary modules or listeners
- Weak cryptographic settings
· Recommended Implementation:
Apply this control during initial deployment and enforce continuously through configuration management, regular audits, and automated validation tools such as Wazuh SCA modules or custom scripts.
5.2.3 — Ensure the maximum buffer size for URIs is defined (Manual)
Section: Request Filtering and Restrictions / Request Limits
Severity: Medium
Automation: Manual
· Description:
5.2.3 Ensure the maximum buffer size for URIs is defined (Manual)
· Security Rationale:
This control reduces attack surface, prevents common exploitation paths, and limits the blast radius of compromise. NGINX frequently operates as an Internet-facing service, making weak defaults especially dangerous.
· Common Misconfigurations:
- Leaving default settings unchanged
- Running with excessive privileges
- Exposing unnecessary modules or listeners
- Weak cryptographic settings
· Recommended Implementation:
Apply this control during initial deployment and enforce continuously through configuration management, regular audits, and automated validation tools such as Wazuh SCA modules or custom scripts.
5.2.4 — Ensure the number of connections per IP address is limited (Manual)
Section: Request Filtering and Restrictions / Request Limits
Severity: Medium
Automation: Manual
· Description:
5.2.4 Ensure the number of connections per IP address is limited (Manual)
· Security Rationale:
This control reduces attack surface, prevents common exploitation paths, and limits the blast radius of compromise. NGINX frequently operates as an Internet-facing service, making weak defaults especially dangerous.
· Common Misconfigurations:
- Leaving default settings unchanged
- Running with excessive privileges
- Exposing unnecessary modules or listeners
- Weak cryptographic settings
· Recommended Implementation:
Apply this control during initial deployment and enforce continuously through configuration management, regular audits, and automated validation tools such as Wazuh SCA modules or custom scripts.
5.2.5 — Ensure rate limits by IP address are set (Manual)
Section: Request Filtering and Restrictions / Request Limits
Severity: Medium
Automation: Manual
· Description:
5.2.5 Ensure rate limits by IP address are set (Manual)
· Security Rationale:
This control reduces attack surface, prevents common exploitation paths, and limits the blast radius of compromise. NGINX frequently operates as an Internet-facing service, making weak defaults especially dangerous.
· Common Misconfigurations:
- Leaving default settings unchanged
- Running with excessive privileges
- Exposing unnecessary modules or listeners
- Weak cryptographic settings
· Recommended Implementation:
Apply this control during initial deployment and enforce continuously through configuration management, regular audits, and automated validation tools such as Wazuh SCA modules or custom scripts.
5.3.1 — Ensure X-Content-Type-Options header is configured and enabled (Manual)
Section: Request Filtering and Restrictions / Browser Security
Severity: Medium
Automation: Manual
· Description:
5.3.1 Ensure X-Content-Type-Options header is configured and enabled (Manual)
· Security Rationale:
This control reduces attack surface, prevents common exploitation paths, and limits the blast radius of compromise. NGINX frequently operates as an Internet-facing service, making weak defaults especially dangerous.
· Common Misconfigurations:
- Leaving default settings unchanged
- Running with excessive privileges
- Exposing unnecessary modules or listeners
- Weak cryptographic settings
· Recommended Implementation:
Apply this control during initial deployment and enforce continuously through configuration management, regular audits, and automated validation tools such as Wazuh SCA modules or custom scripts.
5.3.2 — Ensure that Content Security Policy (CSP) is enabled and configured properly (Manual)
Section: Request Filtering and Restrictions / Browser Security
Severity: Medium
Automation: Manual
· Description:
5.3.2 Ensure that Content Security Policy (CSP) is enabled and configured properly (Manual)
· Security Rationale:
This control reduces attack surface, prevents common exploitation paths, and limits the blast radius of compromise. NGINX frequently operates as an Internet-facing service, making weak defaults especially dangerous.
· Common Misconfigurations:
- Leaving default settings unchanged
- Running with excessive privileges
- Exposing unnecessary modules or listeners
- Weak cryptographic settings
· Recommended Implementation:
Apply this control during initial deployment and enforce continuously through configuration management, regular audits, and automated validation tools such as Wazuh SCA modules or custom scripts.
5.3.3 — Ensure the Referrer Policy is enabled and configured properly (Manual)
Section: Request Filtering and Restrictions / Browser Security
Severity: Medium
Automation: Manual
· Description:
5.3.3 Ensure the Referrer Policy is enabled and configured properly (Manual)
· Security Rationale:
This control reduces attack surface, prevents common exploitation paths, and limits the blast radius of compromise. NGINX frequently operates as an Internet-facing service, making weak defaults especially dangerous.
· Common Misconfigurations:
- Leaving default settings unchanged
- Running with excessive privileges
- Exposing unnecessary modules or listeners
- Weak cryptographic settings
· Recommended Implementation:
Apply this control during initial deployment and enforce continuously through configuration management, regular audits, and automated validation tools such as Wazuh SCA modules or custom scripts.
Need Help?
The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.
Website: https://www.socfortress.co/
Contact Us: https://www.socfortress.co/contact_form.html
目录
最新
- We’ve Been Busy: New CoPilot Features You Need to See
- Secure Deployment of Docker CE (CIS-Aligned Technical Guide)
- MongoDB Secure Deployment & Hardening Guide
- OpenAI Codex Security
- Over 100 GitHub Repositories Distributing BoryptGrab Stealer
- The 9-Hour Fuse: 5 Surprising Realities of the Middle East’s New Digital Front
- The Mysterious Journey of a Powerful iOS Exploit Kit
- SPF, DMARC and DKIM settings in public domains for safe email.