Ensure access logs are sent to a remote syslog server Details Centralized log management helps ensure logs are forensically sound and are available at a central location for auditing and...
Ensure allow and deny filters limit access to specific IP addresses Details IP-based restrictions act as a defense in depth mechanism. They allow you to whitelist legitimate paths to your applications...
Ensure error logs are sent to a remote syslog server Details Centralized log management helps ensure logs are forensically sound and are available at a central location for auditing and...
Ensure HTTP Public Key Pinning is enabled Details HTTP Public Key Pinning, also known as certificate pinning, allows a site to specify exactly which certificates the browser...
Ensure HTTP WebDAV module is not installed Details The http_dav_module enables HTTP Extensions for Web Distributed Authoring and Versioning (WebDAV) as defined by RFC 4918. This enables...
Ensure modules with gzip functionality are disabled Details gzip is used for compression. Compression functionality should be disabled to prevent certain types of attacks from being performed...
Ensure NGINX is installed from source Details Installing NGINX directly from source allows you to install NGINX without the use of a package manager. Rationale: Installing...
Ensure only required modules are installed Details This NGINX installation comes with several modules out of the box. These modules are not all always needed. Installations...
Ensure rate limits by IP address are set Details Rate limiting should be enabled to limit the number of requests an IP address may make to a server...
Ensure session resumption is disabled to enable perfect forward security Details Session resumption for HTTPS sessions should be disabled so perfect forward secrecy can be achieved. Rationale: Perfect forward secrecy...