Facebook Pixel

Nginx Security Hardening Protecting Your Node.js App from Attacks

Learn how to harden Nginx to protect your Node.js application security headers, rate limiting, DDoS protection, hiding server info, and access control.

Nginx Security Hardening

Securing Nginx is a critical layer of defense for your Node.js application. This guide covers essential security hardening techniques.

1. Hide Nginx Version

# In nginx.conf server_tokens off;

This removes the Nginx version number from the Server header and error pages, making it harder for attackers to find known vulnerabilities.

2. Security Headers

server { # ... existing config ... add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; }

X-Frame-Options: SAMEORIGIN Prevents clickjacking by disallowing iframe embedding from other domains.

X-Content-Type-Options: nosniff Prevents MIME-type sniffing (browser guessing content type).

X-XSS-Protection Enables browser's built-in XSS filter.

Referrer-Policy Controls how much referrer information is sent.

Content-Security-Policy Restricts which resources can be loaded. This is the strongest defense against XSS.

Strict-Transport-Security (HSTS) Forces HTTPS for 1 year.

3. Rate Limiting

# In http block limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s; limit_conn_zone $binary_remote_addr zone=conn:10m; server { # API rate limiting location /api/ { limit_req zone=api burst=20 nodelay; limit_conn conn 10; proxy_pass http://localhost:3000; } # Global connection limit limit_conn conn 20; }

This limits each IP to 10 requests/second (with burst of 20) and 10 concurrent connections to the API.

4. DDoS Protection

# Limit request body size (prevent large payload attacks) client_max_body_size 10M; # Limit request header size client_header_buffer_size 1k; large_client_header_buffers 2 1k; # Timeouts (prevent slowloris attacks) client_body_timeout 10; client_header_timeout 10; keepalive_timeout 15; send_timeout 10; reset_timedout_connection on;

5. Disable Unused HTTP Methods

if ($request_method !~ ^(GET|POST|PATCH|PUT|DELETE|HEAD|OPTIONS)$ ) { return 405; }

This rejects requests with methods like TRACE or TRACK that can be used for attacks.

6. Access Control by IP

# Allow only specific IPs for admin routes location /admin/ { allow 192.168.1.0/24; allow 10.0.0.0/8; deny all; proxy_pass http://localhost:3000; }

7. Basic Authentication

# Install htpasswd sudo apt install -y apache2-utils # Create password file sudo htpasswd -c /etc/nginx/.htpasswd adminuser
location /admin/ { auth_basic "Admin Area"; auth_basic_user_file /etc/nginx/.htpasswd; proxy_pass http://localhost:3000; }

8. SSL/TLS Hardening

server { listen 443 ssl http2; # Only modern protocols ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256; ssl_prefer_server_ciphers off; # OCSP stapling ssl_stapling on; ssl_stapling_verify on; # HSTS add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; }

9. Prevent Information Leakage

# Block access to hidden files location ~ /\. { deny all; } # Block access to backup/config files location ~ ~$ { deny all; } # Block access to .env files location ~ /\.env { deny all; }

10. Log Suspicious Activity

# Log requests with no user agent if ($http_user_agent = "") { return 403; } # Log unusually large requests location / { if ($request_length > 100000) { return 413; } proxy_pass http://localhost:3000; }

11. Use ModSecurity (Optional)

For advanced WAF (Web Application Firewall) protection:

sudo apt install -y libmodsecurity3 libnginx-mod-http-modsecurity
modsecurity on; modsecurity_rules_file /etc/modsecurity/modsecurity.conf;

The Takeaway

Nginx security hardening involves: hiding server tokens, adding security headers (HSTS, CSP, X-Frame-Options, X-Content-Type-Options), rate limiting and connection limiting, DDoS protection (body size limits, timeouts), disabling unused HTTP methods, IP-based access control, basic auth for admin areas, SSL/TLS hardening, blocking hidden files, and logging suspicious activity. These layers combined create a strong defense.

Add server_tokens off; to nginx.conf. This removes the version number from the Server response header and error pages, making it harder for attackers to identify known vulnerabilities in your specific Nginx version.

X-Frame-Options (SAMEORIGIN, prevents clickjacking), X-Content-Type-Options (nosniff, prevents MIME sniffing), X-XSS-Protection, Referrer-Policy, Content-Security-Policy (restricts resource loading), and Strict-Transport-Security (HSTS, forces HTTPS).

Set client_max_body_size to limit payload size, short timeouts (client_body_timeout 10, client_header_timeout 10) to prevent slowloris attacks, rate limiting (limit_req_zone with rate and burst), and connection limits (limit_conn_zone).

Use allow and deny directives in the location block: allow 192.168.1.0/24; deny all; This only allows requests from the specified IP range. For basic auth, use auth_basic and auth_basic_user_file with htpasswd.

CSP is a security header that restricts which resources (scripts, styles, images) can be loaded on your site. It's the strongest defense against XSS attacks. Example: default-src 'self' means only load resources from your own domain.

Ready to master Node.js completely?

Want to upskill yourself, crack your next interview, and get your dream job? Join our comprehensive course to dive deeper with high-quality video tutorials, solve interview questions, and a premium community.

Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.