A default Nginx installation exposes information and functionality that attackers can exploit. Hardening your Nginx configuration reduces the attack surface and protects against common web server vulnerabilities.
Essential Security Directives
Remove the server_tokens directive to hide Nginx version information from response headers. Add security headers including X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, and Content-Security-Policy to protect against common client-side attacks.
Configure rate limiting with the limit_req module to protect against brute force and denial-of-service attacks. Set request body size limits with client_max_body_size to prevent resource exhaustion from oversized uploads.
Restrict access to sensitive paths like admin panels and configuration endpoints using allow/deny directives or HTTP basic authentication. Disable unnecessary HTTP methods with a location block that returns 405 for anything beyond GET, POST, and HEAD on most endpoints.