I still remember the first time I deployed a production app using Nginx. Everything looked perfect on the surface — fast responses, clean logs, smooth routing. But I had no idea how exposed the server actually was.
That changed after a quick nmap scan from a friend (who likes to “check things” for fun).
“Dude… your headers are leaking everything.”
Yikes.
That was the moment I realized: Nginx by default is good, but not safe.
Here’s how I hardened my Nginx config — step by step.
Step 1 – Hide Version Info (Because No One Needs to Know)
Out of the box, Nginx broadcasts its version in error messages and headers. This gives attackers a head start if you’re running something outdated.
So I disabled it:
server_tokens off;
And just to be sure, I also edited the config at /etc/nginx/nginx.conf under the http block.
http {
...
server_tokens off;
}
Now, no more “Nginx/1.18.0 (Ubuntu)” in my headers.
Step 2 – Use Strong SSL Config (No Excuses in 2025)
If you’re serving over HTTPS, the default SSL settings are not good enough. I used Mozilla SSL Config Generator and picked the “Intermediate” profile for broader compatibility.
In my nginx.conf or specific site config:
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:...';
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1h;
And of course, I use Let’s Encrypt with auto-renew using Certbot.
Step 3 – Add Security Headers
These headers won’t stop attacks, but they help mitigate damage.
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self';" always;
Note: CSP (Content-Security-Policy) needs testing — it can break stuff if misconfigured.
Step 4 – Limit Request Size
You don’t want people uploading huge files or abusing POST requests.
client_max_body_size 10M;
This simple directive has saved my app from tons of unnecessary load.
Step 5 – Rate Limiting & DDoS Basics
Nginx has built-in modules for basic rate limiting.
limit_req_zone $binary_remote_addr zone=one:10m rate=5r/s;
server {
...
location / {
limit_req zone=one burst=10 nodelay;
}
}
This can help slow down bots and brute-force attempts.
Step 6 – Disable Unused Methods
If your app doesn’t need methods like PUT, DELETE, or TRACE, disable them.
if ($request_method !~ ^(GET|POST|HEAD)$ ) {
return 444;
}
The 444 status code silently drops the connection — no response given. Cold and effective.
What Changed After Lockdown
Once I hardened my config:
- My SecurityHeaders.com score jumped from D to A+
- Bot traffic dropped significantly
- My logs became quieter and more predictable
It felt like installing a proper front door instead of a beaded curtain.
Final Thought
Nginx is powerful, but with great power comes default configs.
And default configs can leak more than you’d expect.
If you’re running anything public, take the time to lock things down. It doesn’t take much — and it might save you from a nasty surprise.
Leave a Comment