How to Harden Your Nginx Server Config File

Introduction: How to Harden Your Nginx Server Config File

This tutorial will give you a couple of steps to take to harden your nginx webserver. nginx is a free, lightweight server, for both windows and Linux, available at .

This tutorial assumes that you have nginx already installed, are at least vaguely familiar with the syntax of the nginx.conf file, and have a server up and running.

Step 1: Turn the Server Tokens Off, and Set Some Parameters on Buffer Size.

Turning the server tokens off prevents the web server from divulging which version of nginx you happen to be running. As certain versions may have certain vulnerabilities, this keeps the would-be hacker in the dark about which specific attacks might work in a specific case. Restricting buffer sizes helps prevent buffer overflow attack

To turn server tokens off, Edit nginx.conf to read as follows. This command goes After the http directive, and the default/type command.

server_tokens off;

immediately after this command, we insert the following to restrict buffer sizes:

client_body_buffer_size 1k;

client_header_buffer_size 1k;

client_max_body_size 1k;

large_client_header_buffers 2 1k;

Step 2: Restrict the Http Methods Allowed.

If you only serve static html content, (which I know is rare these days, although it is the most secure method of presenting a website), you do not need the POST method. Typically, servers use the GET method to request information FROM the sever, and POST to submit information TO the sever. Also, we have the HEAD option, which looks at the content's header information without actually using the content in any way, and we have the OPTIONS method, which returns a list of methods available on a given server.

Hackers can use a specially crafted POST request to trick the server into executing code, especially where a POST request wouldn't be expected or need. Similarly, the HEAD and OPTIONS methods may be used to obtain intelligence information to fend of an attack. While the needs of your sever may vary, we assume here that you are serving static content and do not need post, so we will turn all other methods off, except GET.

The command, which goes inside the server directive, is as follows:

if ($request_method !~ ^(GET)$ )


return 444;


Step 3: Summing It Up

To sum things up, we have explained a couple of things you can do to harden your nginx server against attacks, that are often overlooked by new nginx users. Hopefully, you will implement these things on your server. This ends this tutorial.

Be the First to Share


    • The 1000th Contest

      The 1000th Contest
    • Battery Powered Contest

      Battery Powered Contest
    • Hand Tools Only Challenge

      Hand Tools Only Challenge