About this chapter
A handful of small config changes make an nginx site noticeably harder to abuse. This chapter covers the essentials you can add to almost any server: hiding the version string, restricting who can reach a location, password-protecting an area, rate limiting abusive traffic, and sending the security headers browsers understand.
Lessons from courses
- 1 Hide the nginx version Hide the nginx version with server_tokens off so responses and error pages stop leaking it. Where to set the directive and why it matters.
- 2 Restrict access by IP Restrict access by IP in nginx with allow and deny to lock an admin area to office IPs. How CIDR ranges work and why rule order matters.
- 3 Password-protect with basic auth Set up nginx basic auth to password-protect a directory. Create the htpasswd file and add auth_basic to a location, then serve it over HTTPS.
- 4 Rate limiting requests Set up nginx rate limiting with limit_req_zone and limit_req to shield login and API endpoints from floods. How burst, nodelay and limit_conn work.
- 5 Security headers Add nginx security headers with add_header and always: X-Frame-Options, X-Content-Type-Options, Referrer-Policy and a starter CSP.