nginx-baseline
nginx-baseline copied to clipboard
dev-sec
DevSec Nginx Baseline - InSpec Profile
It is usefull if you want to test an nginx install where configurations are not in the standard directory.
If `proxy` module is used, make sure this is set to thwart the [httpoxy](https://httpoxy.org/) attack: proxy_set_header Proxy ""; More detailed discussion at Nginx website: [Mitigating the HTTPoxy Vulnerability with NGINX](https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx)
Control 7 (Control simultaneous connections) expects a limit_conn with a value of 5. https://github.com/dev-sec/nginx-baseline/blob/b54b03c48592c7da58f6532d59feb3ec03b2cf3c/controls/nginx_spec.rb#L184-L194 Modern web browsers supports 6 (or more) connections per hostname, see the table on https://developer.pushtechnology.com/cloud/latest/manual/html/designguide/solution/support/connection_limitations.html#connection_limitations__conn_ie and...
Control 16 adds a check for `set_cookie_flag`. Looking at this option it seems you can only activate this if you use the [nginx_cookie_flag_module](https://github.com/AirisX/nginx_cookie_flag_module). And to activate it you need to...
Test nginx-14 checks if the string `if ( $request_method !~ ^(GET|HEAD|POST)$ ) {` exists in the in the `nginx.conf`. So far, so good. However there should also be a check...
Hello everyone, first of all, thanks for these controls, this helps alot. Unfortunately I have problems running this profile after upgrading to inspec 2.x. It seems to be, that every...
