nginx.conf best practices
Security and performance best practices for nginx.conf: disable server_tokens, restrict HTTP methods, avoid root in location blocks, and set buffer limits.
Disable server_tokens in nginx.conf
Nginx exposes its version number in HTTP response headers and error pages by default. Set
server_tokens off; in the http or server context to hide the version. Hiding the Nginx version prevents attackers from targeting known vulnerabilities for a specific release. See
How to disable server_tokens in nginx.conffor step-by-step instructions.
Restrict HTTP Methods in nginx.conf
Nginx accepts all HTTP methods by default, including
DELETE,
TRACE, and
OPTIONS. Restrict the allowed methods to
GET,
POST, and
HEAD if the application does not require other methods. Blocking unused HTTP methods reduces the attack surface and prevents method-based exploits.
server {
if ($request_method !~ ^(GET|HEAD|POST)$) {
return 405;
}
}Avoid Using root Inside location Blocks in nginx.conf
Nginx evaluates the
root directive differently inside a location block than inside a server block. Define
root at the server level and override it in a location block only when a specific path requires a different document root. Placing
root in every location block creates duplication and increases the risk of misconfigured file paths.
# Recommended: root at server level
server {
root /var/www/example.com;
location /images/ {
# Inherits root from server context
}
}Set Buffer Size Limits in nginx.conf to Prevent DoS Attacks
Nginx allocates memory buffers for client request headers and bodies. Set explicit limits with
client_body_buffer_size,
client_header_buffer_size, and
large_client_header_buffers to prevent oversized requests from consuming excessive memory. Unbounded buffer sizes allow attackers to exhaust server memory with crafted requests.
http {
client_body_buffer_size 16k;
client_header_buffer_size 1k;
large_client_header_buffers 4 8k;
client_max_body_size 8M;
}Use TLS 1.2 and TLS 1.3 Only in nginx.conf
Nginx supports multiple SSL/TLS protocol versions. Disable SSLv3, TLS 1.0, and TLS 1.1 because these protocols contain known vulnerabilities such as POODLE and BEAST. Configure
ssl_protocols to allow only TLS 1.2 and TLS 1.3.
server {
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
}Add Security Headers in nginx.conf
Nginx can inject HTTP security headers into every response. Add
X-Content-Type-Options,
X-Frame-Options, and
Strict-Transport-Security (HSTS) headers to protect against content sniffing, clickjacking, and protocol downgrade attacks.
server {
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options SAMEORIGIN;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
}Test nginx.conf Before Reloading
Nginx validates the entire configuration file when the
nginx -t command runs. A syntax error or missing file in nginx.conf prevents Nginx from reloading and can cause downtime if the running instance is restarted without testing first. Run
nginx -t after every change and before every
systemctl reload nginx.
sudo nginx -t
sudo systemctl reload nginx