Assessing the NGINX Server's Configuration Security Based on CIS Benchmarks

Abstract

Websites and applications commonly rely on web server software such as NGINX to handle server-side tasks. Administrators often copy configuration files of these servers from online sources (e.g., GitHub) and adapt them, but these files can be misconfigured and introduce security vulnerabilities. This paper presents an automated tool that assesses NGINX configuration files against the CIS Benchmark for NGINX by the Center for Internet Security (CIS). We categorized benchmark recommendations applicable to configuration files, implemented the tool, and evaluated it on 23 popular NGINXbased GitHub repositories. On average, only about 4.01% of scannable recommendations were implemented; configurations for logging and encryption were absent from defaults. These findings raise concerns for developers adopting such files without thorough review. Our evaluation shows that the tool can be used to identify insecure or missing configurations in online-sourced configurations and promotes best practices of having secure configurations for a stronger security posture.