BestHub
Sign in
Information Security 6 min read

Nginx Security Hardening: Preventing DDoS, SQL Injection, XSS, and Other Attacks

This guide outlines practical Nginx configuration techniques to mitigate DDoS, SQL injection, path traversal, XSS, host header injection, clickjacking, and other security threats while also covering SSL/TLS encryption, server token hiding, and essential command‑line operations.

Laravel Tech Community
Laravel Tech Community
Laravel Tech Community
Nginx Security Hardening: Preventing DDoS, SQL Injection, XSS, and Other Attacks

This article presents a series of Nginx configuration snippets and best‑practice recommendations aimed at strengthening server security against common attacks.

1. Prevent DDoS attacks : limit connection frequency, throttle request rates, and block suspicious IPs using the allow and deny directives.

# Reject requests from 1.2.3.4 and allow all others
location / {
  deny 1.2.3.4;
  allow all;
}

2. Prevent SQL injection : filter and validate user input, use ORM frameworks, parameterized queries, avoid dynamic SQL, regularly patch database software, and restrict database privileges.

1. Use an ORM to automatically escape inputs.
2. Use prepared statements for all queries.
3. Validate and filter input on both front‑end and back‑end.
4. Disallow dynamic SQL in code.
5. Keep DB software and patches up‑to‑date.
6. Grant only necessary DB permissions.

3. Prevent file‑path traversal : set a proper root and index , deny access to hidden files, and use alias to isolate directories.

server {
  ...
  root /path/to/your/website;
  index index.html;
}

location ~ /\.
{
  deny all;
}

location /images/ {
  alias /path/to/your/images/;
}

4. Prevent XSS attacks : add the X‑XSS‑Protection header.

add_header X-XSS-Protection "1; mode=block";

5. Protect sensitive information : enforce HTTPS and set security‑related response headers.

add_header X-Content-Type-Options nosniff;

6. Prevent HTTP Host header injection : restrict server_name and validate $http_host with an if block.

server {
  listen 80;
  server_name example.com;
  ...
}

if ($http_host != "example.com") {
  return 444;
}

7. Authentication and authorization : use Nginx's built‑in basic authentication or OAuth modules for identity verification.

8. Enable SSL/TLS encryption : configure the server to listen on port 443 with the appropriate certificates.

server {
  listen 443 ssl;
  server_name example.com;
  ssl_certificate /path/to/cert.pem;
  ssl_certificate_key /path/to/key.pem;
  # other SSL settings
}

9. Hide server version information : turn off server_tokens .

server_tokens off;

10. Prevent clickjacking : set the X-Frame-Options header to SAMEORIGIN (or DENY as needed).

# X-Frame-Options can be DENY, SAMEORIGIN, or ALLOW-FROM
add_header X-Frame-Options "SAMEORIGIN";

Additional useful Nginx commands are listed for starting, testing, reloading, and stopping the server.

# Start Nginx
cd /usr/local/nginx/sbin
./nginx

# Show version
./nginx -v

# Check configuration syntax
./nginx -t

# Reload configuration
./nginx -s reload

# Graceful shutdown
./nginx -s quit

# Forceful shutdown
./nginx -s stop
securitySQL injectionXSSNginxServerDDoSSSLHardening
Laravel Tech Community
Written by

Laravel Tech Community

Specializing in Laravel development, we continuously publish fresh content and grow alongside the elegant, stable Laravel framework.

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment