Is there some specific parameters that are used to lock down nginx for example that might prevent sql injection or css attacks. I have read "Apache Security" and "Preventing Apache Web Attacks" but not quite sure how to apply that knowledge to nginx. I would appreciate any suggestions. Thanks
on 2009-02-20 22:23
on 2009-02-20 23:32
on 2009-02-21 01:03
I would generally agree with these statements, especially that the webserver's (nginx, apache) job is to serve content (resources) and that is its job. Even in apache, I am pretty sure there is not some magical compiler setting for web application security. What there generally is (in apache) is the use of a "web application firewall" like mod_security. Currently, there is not such a module in NginX, but you could write one, as it is essentially a filter. If you are using Python with WSGI there is WSGI middleware that can act in the same capacity. Even with such a thing in place, you should STILL be doing validation application side or you leave yourself open to when people get around your web application firewall or it is down (perhaps because you disabled it)! Let's let the webserver serve and the applications, er, apply.
on 2009-02-21 08:20
Both of those attack vectors relate to web applications, not web servers. Nginx and apache do their part to make sure any data proxied through them to the web application is well formed. However it is the applications job, not the web servers, to make sure it behaves correctly in the presence of untrusted data. Cheers Dave