nginx-baseline icon indicating copy to clipboard operation
nginx-baseline copied to clipboard
verified publisher icon dev-sec

Disable insecure HTTP-methods

Open rndmh3ro opened this issue 7 years ago • 0 comments

Test nginx-14 checks if the string if ( $request_method !~ ^(GET|HEAD|POST)$ ) { exists in the in the nginx.conf. So far, so good. However there should also be a check that the correct error-code is returned, if the wrong request method is used.

Therefore I propose the following regex that checks if the output of nginx -T contains the following:

if ( $request_method !~ ^(GET|HEAD|POST)$ ) {
 return 405;
 }

the regex:

  describe parse_config(nginx_parsed_config, options) do
    its('content') { should match(/^\s*if\s+\(\s*\$request_method\s+\!\~\s+\^\(#{HTTP_METHODS}\)\$\s*\)\s*\{?$\s*return\s+405;\s+}$/) }
  end

Regexr: https://regexr.com/3u94m

What do you think?

rndmh3ro avatar Aug 21 '18 20:08 rndmh3ro