This page provides security baseline guidance for NGINX. For detailed hardening configurations, see NGINX Hardening.
- Hide server version information by setting
server_tokens off;
- Remove or restrict access to server status pages
- Block access to sensitive files (
.git, .env, .htaccess)
- Enforce HTTPS/TLS with modern ciphers and valid certificates
- Use TLS 1.2 and TLS 1.3 only (disable SSLv2, SSLv3, TLS 1.0, TLS 1.1)
- Implement HSTS (HTTP Strict Transport Security)
- Configure OCSP stapling for improved TLS handshake performance
- Use strong DH parameters for DHE ciphers
- Set
X-Frame-Options to prevent clickjacking attacks
- Implement
X-Content-Type-Options to prevent MIME type sniffing
- Configure Content Security Policy (CSP) headers
- Set
Referrer-Policy to control referrer information
- Configure
Permissions-Policy to restrict browser features
- Expose admin interfaces only on trusted management networks
- Restrict sensitive paths (admin, metrics, debug) by source IP and authentication
- Limit HTTP methods to only what’s necessary
- Use
allow and deny directives for IP-based access control
- Use
geo and map modules for advanced access control rules
¶ Request and Rate Limits
- Apply request size limits to reduce abuse risk
- Configure rate limiting with
limit_req and limit_conn modules
- Set appropriate timeout values to prevent slowloris attacks
- Apply request body size limits
- Run service accounts with least privilege and strict file permissions
- Disable unused modules and features to reduce attack surface
- Keep NGINX packages and dependencies updated through controlled patch cycles
- Configure appropriate file permissions for configuration files
¶ Logging and Monitoring
- Enable structured access and error logging
- Forward logs to central logging systems
- Monitor for 4xx/5xx error trends and unusual patterns
- Set up alerts for security events
Affected Versions: NGINX prior to 1.28.2 (stable) and 1.29.5 (mainline)
Severity: Security vulnerability
Description: This vulnerability could allow an attacker to inject arbitrary bytes in client requests passed to SSL upstream servers, potentially leading to bypassing security restrictions, gaining access to sensitive information, or causing other impacts.
Solution: Upgrade to NGINX 1.28.2 (stable) or 1.29.6+ (mainline) immediately.
Release Date: 2026-02-04 (fixed in 1.28.2/1.29.5), latest mainline 1.29.6 (2026-03-10) includes additional improvements
Any questions?
Feel free to contact us. Find all contact information on our contact page.