How to Harden the Nginx Web Server on your CentOS 7 Virtual Server or Dedicated Server

How to Harden the Nginx Web Server on your CentOS 7 Virtual Server or Dedicated Server

1.
Hide details about Nginx

By-default the Nginx version is shown in the response headers as shown below.

Having such information will facilitate a hacker in an attempt at attacking the web server.

[linuxuser@centos7-nginx ~]$ curl -I http://35.225.245.112
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Wed, 23 May 2018 19:14:48 GMT
Content-Type: text/html
Content-Length: 3700
Last-Modified: Tue, 06 Mar 2018 09:26:21 GMT
Connection: keep-alive
ETag: "5a9e5ebd-e74"
Accept-Ranges: bytes

Disable the information leakage by adding the line below in http section in nginx config file /etc/nginx/nginx.conf

http {
  server_tokens off;

Save the file and reload nginx

$ sudo systemctl reload nginx

Confirm that the nginx version details are no longer shown.

[linuxuser@centos7-nginx ~]$ curl -I http://35.225.245.112
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 23 May 2018 19:17:53 GMT
Content-Type: text/html
Content-Length: 3700
Last-Modified: Tue, 06 Mar 2018 09:26:21 GMT
Connection: keep-alive
ETag: "5a9e5ebd-e74"
Accept-Ranges: bytes

2.
Enable X-XSS Protection

X-XSS protects the web server against cross-site scripting attacks. Add the line add_header X-XSS-Protection "1; mode=block";  in http section in nginx config file X-XSS-Protection "1; mode=block";

http {
  server_tokens off;
  add_header X-XSS-Protection "1; mode=block";

3.
Disable Undesirable HTTP methods

The desirable HTTP methods include POST, HEAD, GET while the undesirable ones are DELETE or TRACE. These are quite risky as they give provision of stealing cookie information through cross-site tacking attacks.

To disable this add the line below in server section in nginx config file /etc/nginx/nginx.conf

if ($request_method !~ ^(GET|HEAD|POST)$ )
{
   return 405;
}

Save the file and reload nginx service

4.
Prevent clickjacking attacks

Clickjacking attack entails hacker placing a hidden link below legitimate button on site and the user unknowingly clicks on the attacker’s link causing malice. In most cases, this is done using iframes. Hence in nginx, it’s recommended to insert X-FRAME-OPTIONS “SAMEORIGIN” in the header to limit the browser to load resources only from the same origin.

Add the line add_header X-Frame-Options "SAMEORIGIN"; in the http section in nginx config file /etc/nginx/nginx.conf

Save the file and reload nginx service

5.
Always keep nginx up to date

The nginx updates will always ensure that any security vulnerabilities in previous versions or releases have been resolved. Just run the command below:

$ sudo yum update nginx

Special note: HostAdvice’s hosting reviews allow you to consult with thousands of users before purchasing a hosting plan. If you are looking to purchase a CentOS VPS plan, consult the VPS hosting reviews or Linux Hosting reviews.

 

Check out the top 3 Dedicated server hosting services:

Hostinger
$2.99 /mo
Starting price
Visit Hostinger
Rating based on expert review
  • User Friendly
    4.7
  • Support
    4.7
  • Features
    4.8
  • Reliability
    4.8
  • Pricing
    4.7
IONOS
$1.00 /mo
Starting price
Visit IONOS
Rating based on expert review
  • User Friendly
    4.5
  • Support
    4.0
  • Features
    4.5
  • Reliability
    4.5
  • Pricing
    4.3
Ultahost
$2.50 /mo
Starting price
Visit Ultahost
Rating based on expert review
  • User Friendly
    4.3
  • Support
    4.8
  • Features
    4.5
  • Reliability
    4.0
  • Pricing
    4.8

How to Setup Let's Encrypt With Nginx on an Ubuntu 18.04 VPS or Dedicated Server

In this guide, you will learn how to setup Let's encrypt on your Ngnix Server to
less than a minute
Eliran Ouzan
Eliran Ouzan
Web Designer & Hosting Expert

How to Configure Nginx and Apache on the same Ubuntu VPS or Dedicated Server

Nginx and Apache are great and powerful web servers. However, they both have dra
less than a minute
Idan Cohen
Idan Cohen
Marketing Expert

How to Setup FastCGI Caching with Nginx on your VPS or Dedicated Server

A FastCGI module is present in Nginx. This module includes directiv
less than a minute
Eliran Ouzan
Eliran Ouzan
Web Designer & Hosting Expert

How to Install WordPress with Nginx & Redis

This is an easy-to-follow guide written to help you learn how to install WordPre
less than a minute
Max Ostryzhko
Max Ostryzhko
Senior Web Developer, HostAdvice CTO
HostAdvice.com provides professional web hosting reviews fully independent of any other entity. Our reviews are unbiased, honest, and apply the same evaluation standards to all those reviewed. While monetary compensation is received from a few of the companies listed on this site, compensation of services and products have no influence on the direction or conclusions of our reviews. Nor does the compensation influence our rankings for certain host companies. This compensation covers account purchasing costs, testing costs and royalties paid to reviewers.
Click to go to the top of the page
Go To Top