Nginx Security Inspector
Analyze Nginx configuration for security weaknesses including SSL/TLS, headers, rate limiting, and exposed paths
Paste your nginx.conf or server block configuration for security analysis
What is the Nginx Security Inspector?
The Nginx Security Inspector is a client-side tool that analyzes Nginx configuration files for security weaknesses and misconfigurations. It checks SSL/TLS settings, security headers, access controls, rate limiting, and other critical security directives to help you harden your web server.
How to Use
- Copy your Nginx configuration (nginx.conf, server blocks, or location blocks)
- Paste it into the input field
- Click "Analyze" or wait for automatic processing
- Review findings with severity ratings (Critical, High, Medium, Low)
- Follow the recommendations to improve your server security
Example: Insecure Configuration
A configuration with multiple security issues:
server {
listen 80;{'
'} server_tokens on;{'
'} autoindex on;{'
'}{'
'} location / {'{'}{'
'} root /var/www/html;{'
'} {'}'}{'
'}{'}'}Example: Hardened Configuration
server {
listen 443 ssl;{'
'} server_tokens off;{'
'}{'
'} ssl_protocols TLSv1.2 TLSv1.3;{'
'} ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;{'
'}{'
'} add_header X-Frame-Options "SAMEORIGIN" always;{'
'} add_header X-Content-Type-Options "nosniff" always;{'
'} add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;{'
'}{'
'} client_max_body_size 10m;{'
'} client_body_timeout 10s;{'
'}{'
'} limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;{'
'}{'
'} location ~ /\.git {'{'} deny all; return 404; {'}'}{'
'} location ~ /\.env {'{'} deny all; return 404; {'}'}{'
'}{'
'} location / {'{'}{'
'} root /var/www/html;{'
'} index index.html;{'
'} {'}'}{'
'}{'}'}Security Areas Checked
- SSL/TLS Configuration — Protocols, ciphers, and HTTPS enforcement
- Security Headers — HSTS, X-Frame-Options, X-Content-Type-Options via add_header
- Information Disclosure — server_tokens, autoindex, version exposure
- Request Limits — client_max_body_size, rate limiting, connection timeouts
- Proxy Security — Insecure backends, missing proxy headers
- Sensitive Paths — Exposed .git, .env, .htaccess, wp-admin directories
- Configuration Quality — Unsafe if usage, missing best practices
Security Scoring
Each configuration receives a score from 0 to 100. Severity weights are: Critical (25 points), High (15 points), Medium (8 points), Low (3 points). The score maps to a letter grade: A (90+), B (75+), C (60+), D (40+), F (below 40).
Privacy and Security
All analysis happens entirely in your browser using JavaScript. Your Nginx configuration — which may contain internal IP addresses, backend server names, and infrastructure details — is never transmitted to any server. No data is stored, logged, or shared.
Frequently Asked Questions
What security issues does this tool detect in Nginx configurations?
The Nginx Security Inspector checks for weak SSL/TLS protocols, missing security headers (HSTS, X-Frame-Options, X-Content-Type-Options), server token exposure, directory listing, missing rate limiting, insecure proxy configurations, missing client body size limits, exposed sensitive paths (.git, .env), missing HTTPS redirects, unsafe 'if' conditions, and missing connection timeouts.
How is the security score calculated?
The score starts at 100 and deducts points based on finding severity: Critical issues deduct 25 points, High issues deduct 15, Medium issues deduct 8, and Low issues deduct 3. The final score maps to a letter grade: A (90+), B (75+), C (60+), D (40+), F (below 40).
Is my Nginx configuration sent to a server?
No. All analysis happens entirely in your browser using JavaScript. Your Nginx configuration — which may contain internal infrastructure details, IP addresses, and backend server names — is never transmitted to any server. No data is stored, logged, or shared.
Why is 'if is evil' in Nginx?
The Nginx 'if' directive inside location blocks can cause unexpected behavior because it changes request processing phases rather than acting as a simple conditional. It can lead to dropped headers, incorrect redirects, and hard-to-debug issues. The Nginx team recommends using map, try_files, or separate location blocks instead.
Why should I disable server_tokens?
server_tokens reveals the Nginx version number in HTTP response headers and default error pages. Attackers use this to identify vulnerable versions and target known exploits. Setting server_tokens off; hides the version information, making reconnaissance harder.
What SSL/TLS protocols should I use?
Use only TLSv1.2 and TLSv1.3. Older protocols (SSLv2, SSLv3, TLSv1.0, TLSv1.1) have known vulnerabilities including POODLE, BEAST, and DROWN. Configure with: ssl_protocols TLSv1.2 TLSv1.3; in your server or http block.
Why are sensitive paths like .git flagged?
If a .git directory is accessible via the web server, attackers can download your entire repository history including source code, credentials, and secrets. Similarly, .env files often contain API keys and database passwords. Nginx should explicitly deny access to these paths with a location block returning 404 or 403.
What is rate limiting and why does it matter?
Rate limiting (limit_req and limit_conn in Nginx) restricts the number of requests a client can make in a given time period. Without it, your server is vulnerable to brute-force attacks, credential stuffing, and DDoS. A common configuration is: limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s;
What format should the input be?
Paste your Nginx configuration file content directly. The tool supports standard nginx.conf syntax including http, server, and location blocks, directives, and comments. You can paste a complete configuration file or just the relevant sections you want to analyze.