Ensure HTTP Strict Transport Security (HSTS) is enabled
Details HTTP Strict Transport Security (HSTS) headers instruct a user agent on how to communicate with a web server. HSTS...
- Home
- Security Hardening
- CIS Nginx Benchmark V1.0.0 L1 Proxy
CIS Nginx Benchmark V1.0.0 L1 Proxy
Ensure keepalive_timeout is 10 seconds or less, but not 0
Details Persistent connections are leveraged by all modern browsers to facilitate greater web performance. The keep-alive timeout limits the time...Ensure log files are rotated – rotate
Details Log rotation ensures log files do not consume excessive disk space, potentially causing a denial of service. Rationale: Log...Ensure log files are rotated – weekly
Details Log rotation ensures log files do not consume excessive disk space, potentially causing a denial of service. Rationale: Log...Ensure NGINX is installed
Details The CIS NGINX Benchmark recommends using the NGINX binary provided by your vendor for most situations. As an alternative,...Ensure NGINX only listens for network connections on authorized ports
Details NGINX can be configured to listen on any port, but it should be configured to listen on authorized ports...Ensure NGINX directories and files are owned by root
Details The owner and group of the /etc/nginx directory and its files should be root. Rationale: Setting ownership to only...Ensure Online Certificate Status Protocol (OCSP) stapling is enabled – ssl_stapling
Details OCSP allows a user’s browser or another user agent to verify the certificate it is seeing is not revoked....Ensure Online Certificate Status Protocol (OCSP) stapling is enabled – ssl_stapling_verify
Details OCSP allows a user’s browser or another user agent to verify the certificate it is seeing is not revoked....Ensure only modern TLS protocols are used
Details Only modern TLS protocols should be enabled in NGINX for all client connections and upstream connections. Removing legacy TLS...