How to Harden Your Nginx Server Config File

This tutorial will give you a couple of steps to take to harden your nginx webserver. nginx is a free, lightweight server, for both windows and Linux, available at .

This tutorial assumes that you have nginx already installed, are at least vaguely familiar with the syntax of the nginx.conf file, and have a server up and running.

Teacher Notes

Teachers! Did you use this instructable in your classroom?
Add a Teacher Note to share how you incorporated it into your lesson.

Step 1: Turn the Server Tokens Off, and Set Some Parameters on Buffer Size.

Turning the server tokens off prevents the web server from divulging which version of nginx you happen to be running. As certain versions may have certain vulnerabilities, this keeps the would-be hacker in the dark about which specific attacks might work in a specific case. Restricting buffer sizes helps prevent buffer overflow attack

To turn server tokens off, Edit nginx.conf to read as follows. This command goes After the http directive, and the default/type command.

server_tokens off;

immediately after this command, we insert the following to restrict buffer sizes:

client_body_buffer_size 1k;

client_header_buffer_size 1k;

client_max_body_size 1k;

large_client_header_buffers 2 1k;

Step 2: Restrict the Http Methods Allowed.

If you only serve static html content, (which I know is rare these days, although it is the most secure method of presenting a website), you do not need the POST method. Typically, servers use the GET method to request information FROM the sever, and POST to submit information TO the sever. Also, we have the HEAD option, which looks at the content's header information without actually using the content in any way, and we have the OPTIONS method, which returns a list of methods available on a given server.

Hackers can use a specially crafted POST request to trick the server into executing code, especially where a POST request wouldn't be expected or need. Similarly, the HEAD and OPTIONS methods may be used to obtain intelligence information to fend of an attack. While the needs of your sever may vary, we assume here that you are serving static content and do not need post, so we will turn all other methods off, except GET.

The command, which goes inside the server directive, is as follows:

if ($request_method !~ ^(GET)$ )


return 444;


Step 3: Summing It Up

To sum things up, we have explained a couple of things you can do to harden your nginx server against attacks, that are often overlooked by new nginx users. Hopefully, you will implement these things on your server. This ends this tutorial.



    • Indoor Lighting Contest

      Indoor Lighting Contest
    • Make It Fly Challenge

      Make It Fly Challenge
    • Growing Beyond Earth Maker Contest

      Growing Beyond Earth Maker Contest