Nginx

Security Commands

Secure your Nginx server with essential security headers, implement IP whitelisting and blacklisting, configure basic authentication, set up CORS policies, and hide server information from attackers.

8 commands

Pro Tips

Hide Nginx version with `server_tokens off;` to prevent version disclosure in error pages and headers.

Add security headers: X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, and Content-Security-Policy.

Use `limit_req_zone` to implement rate limiting and protect against brute force attacks on login pages.

Block malicious IPs with `deny` directives or use ModSecurity WAF module for advanced protection.

Common Mistakes

Basic auth passwords are transmitted in base64 encoding. Always use HTTPS when implementing basic authentication.

Overly restrictive CORS policies can break legitimate frontend applications. Test thoroughly in staging environments.

Commands

Enable basic authentication

$ auth_basic "Restricted"; auth_basic_user_file /etc/nginx/.htpasswd;

Require password for protected areas

Block IP address

$ deny 192.168.1.100; allow all;

Block specific IP from accessing site

CORS headers for API

$ add_header Access-Control-Allow-Origin "https://example.com" always; add_header Access-Control-Allow-Methods "GET, POST, OPTIONS" always;

Enable cross-origin requests from specific domain

Security headers

$ add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always;

Protect against clickjacking and MIME sniffing

Hide server version

$ server_tokens off;

Remove Nginx version from headers and error pages

Create htpasswd file

$ sudo htpasswd -c /etc/nginx/.htpasswd username

Create password file for basic auth

Limit upload size

$ client_max_body_size 10m;

Restrict maximum request body size

Whitelist IPs only

$ allow 192.168.1.0/24; deny all;

Restrict access to specific IP range