Forum: NGINX Secure nginx

Announcement (2017-05-07): is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see and for other Rails- und Ruby-related community platforms.
C2582289760ac1c443711b20e53f1d06?d=identicon&s=25 Paul Greenwood (Guest)
on 2009-02-20 22:23
(Received via mailing list)
Is there some specific parameters that are used to lock down nginx for
example that might prevent sql injection or css attacks.  I have read
"Apache Security" and "Preventing Apache Web Attacks" but not quite sure
to apply that knowledge to nginx.  I would appreciate any suggestions.
F28f13d5607639b47a8ce7cf9b71a3cf?d=identicon&s=25 Nuno Magalhães (Guest)
on 2009-02-20 23:32
(Received via mailing list)
On Fri, Feb 20, 2009 at 9:01 PM, Paul Greenwood <>
> Is there some specific parameters that are used to lock down nginx for
> example that might prevent sql injection or css attacks.

From what i've seen, SQL injection, XSS-attacks and alike are all done
by exploiting client-side scripting (Javascript etc) or data entered
by users (into form fields). Avoiding client-side scripting could
mitigate this; as would validating all user input (this one's basic);
and escaping all code that is not part of the markup (ampersand
entities, %-codes for URLs, that sort of stuff - think bb-code). I
think none of this is directly related to the webserver and a big part
of the risk lies with users not knowing how yo use their browsers.

561c2fb6d0c72e0c7bc52b263c7d56c3?d=identicon&s=25 Merlin (Guest)
on 2009-02-21 01:03
(Received via mailing list)
I would generally agree with these statements, especially that the
webserver's (nginx, apache) job is to serve content (resources) and that
its job.  Even in apache, I am pretty sure there is not some magical
compiler setting for web application security.

What there generally is (in apache) is the use of a "web application
firewall" like mod_security.  Currently, there is not such a module in
NginX, but you could write one, as it is essentially a filter.  If you
using Python with WSGI there is WSGI middleware that can act in the same
capacity.  Even with such a thing in place, you should STILL be doing
validation application side or you leave yourself open to when people
around your web application firewall or it is down (perhaps because you
disabled it)!

Let's let the webserver serve and the applications, er, apply.
Fda08117336cfde6562315df04b976e8?d=identicon&s=25 Dave Cheney (Guest)
on 2009-02-21 08:20
(Received via mailing list)
Both of those attack vectors relate to web applications, not web
servers. Nginx and apache do their part to make sure any data proxied
through them to the web application is well formed. However it is the
applications job, not the web servers, to make sure it behaves
correctly in the presence of untrusted data.


This topic is locked and can not be replied to.