Nginx-Sicherheitsinspektor

Analysieren Sie Nginx-Konfiguration auf SSL/TLS- und Header-Sicherheitsschwächen

Analyzing Nginx Configuration for Security Weaknesses

Nginx powers over 30% of the world's web servers, making its configuration a critical attack surface. Default Nginx installations expose server version information, allow directory listing, lack security headers, and use permissive SSL/TLS settings that leave sites vulnerable to downgrade attacks. The Nginx Security Inspector analyzes your server configuration blocks to detect misconfigurations that expose your infrastructure to common attacks — from information disclosure to protocol downgrade and path traversal.

The inspector evaluates SSL/TLS protocol versions and cipher suites, security header presence, server token exposure, rate limiting configuration, proxy security settings, and access control patterns. Each finding includes the specific directive location, severity classification, and a corrected configuration snippet. All analysis happens entirely in your browser — your server configuration never leaves your device.

SSL/TLS Configuration Issues

The inspector detects weak SSL/TLS configurations that enable protocol downgrade attacks:

  • SSLv3 / TLS 1.0 / TLS 1.1 enabled: These protocols have known vulnerabilities (POODLE, BEAST) and should be disabled in favor of TLS 1.2 and 1.3
  • Weak cipher suites: Export-grade ciphers, RC4, DES, and NULL ciphers are vulnerable to brute force or known-plaintext attacks
  • Missing OCSP stapling: Without OCSP stapling, browsers make separate requests to verify certificate validity, adding latency and privacy concerns
  • Missing HSTS header: Without Strict-Transport-Security, users can be downgraded to HTTP through SSL stripping attacks

The recommended configuration enables only TLS 1.2+ with strong cipher suites that provide forward secrecy, protecting past session data even if the server's private key is later compromised.

Information Disclosure and Server Hardening

Default Nginx configurations reveal information useful to attackers:

  • server_tokens on: Exposes the exact Nginx version in Server response headers and error pages, enabling targeted CVE exploitation
  • autoindex on: Directory listing enabled exposes file structure, backup files, and potentially sensitive documents
  • Exposed status pages: /nginx_status or /stub_status accessible without authentication reveals connection counts and server load
  • Default error pages: Standard Nginx error pages confirm the server software and version
  • Exposed .git or .env files: Missing location blocks to deny access to sensitive dot-files

The inspector flags each disclosure vector and provides the specific deny directives needed to close these information leaks.

Rate Limiting and Access Control

Missing rate limiting leaves servers vulnerable to brute force and denial-of-service attacks:

  • No rate limiting zones: Without limit_req_zone directives, every endpoint accepts unlimited requests
  • Missing connection limits: No limit_conn allows single clients to exhaust server connections
  • Open proxy configuration: Misconfigured proxy_pass without proper access controls can turn your server into an open proxy
  • Missing client body size limits: Without client_max_body_size, attackers can send arbitrarily large request bodies

Rate limiting should be applied to authentication endpoints, API routes, and file upload paths at minimum, with graduated responses from throttling to temporary bans.

Code Examples

Hardened Nginx Server Block

server {
    listen 443 ssl http2;
    server_name example.com;

    # TLS hardening
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
    ssl_prefer_server_ciphers off;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:10m;
    ssl_stapling on;
    ssl_stapling_verify on;

    # Information disclosure prevention
    server_tokens off;
    autoindex off;

    # Security headers
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Frame-Options "SAMEORIGIN" always;

    # Rate limiting
    limit_req zone=api burst=20 nodelay;
    client_max_body_size 10m;

    # Block sensitive files
    location ~ /\. { deny all; }
}

Häufig Gestellte Fragen

What security issues does this tool detect in Nginx configurations?

The Nginx Security Inspector checks for weak SSL/TLS protocols, missing security headers (HSTS, X-Frame-Options, X-Content-Type-Options), server token exposure, directory listing, missing rate limiting, insecure proxy configurations, missing client body size limits, exposed sensitive paths (.git, .env), missing HTTPS redirects, unsafe 'if' conditions, and missing connection timeouts.

How is the security score calculated?

The score starts at 100 and deducts points based on finding severity: Critical issues deduct 25 points, High issues deduct 15, Medium issues deduct 8, and Low issues deduct 3. The final score maps to a letter grade: A (90+), B (75+), C (60+), D (40+), F (below 40).

Is my Nginx configuration sent to a server?

No. All analysis happens entirely in your browser using JavaScript. Your Nginx configuration — which may contain internal infrastructure details, IP addresses, and backend server names — is never transmitted to any server. No data is stored, logged, or shared.

Why is 'if is evil' in Nginx?

The Nginx 'if' directive inside location blocks can cause unexpected behavior because it changes request processing phases rather than acting as a simple conditional. It can lead to dropped headers, incorrect redirects, and hard-to-debug issues. The Nginx team recommends using map, try_files, or separate location blocks instead.

Why should I disable server_tokens?

server_tokens reveals the Nginx version number in HTTP response headers and default error pages. Attackers use this to identify vulnerable versions and target known exploits. Setting server_tokens off; hides the version information, making reconnaissance harder.

What SSL/TLS protocols should I use?

Use only TLSv1.2 and TLSv1.3. Older protocols (SSLv2, SSLv3, TLSv1.0, TLSv1.1) have known vulnerabilities including POODLE, BEAST, and DROWN. Configure with: ssl_protocols TLSv1.2 TLSv1.3; in your server or http block.

Why are sensitive paths like .git flagged?

If a .git directory is accessible via the web server, attackers can download your entire repository history including source code, credentials, and secrets. Similarly, .env files often contain API keys and database passwords. Nginx should explicitly deny access to these paths with a location block returning 404 or 403.

What is rate limiting and why does it matter?

Rate limiting (limit_req and limit_conn in Nginx) restricts the number of requests a client can make in a given time period. Without it, your server is vulnerable to brute-force attacks, credential stuffing, and DDoS. A common configuration is: limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s;

What format should the input be?

Paste your Nginx configuration file content directly. The tool supports standard nginx.conf syntax including http, server, and location blocks, directives, and comments. You can paste a complete configuration file or just the relevant sections you want to analyze.