Security

A secure Nginx deployment applies multiple overlapping layers of protection. This module covers every layer — from firewall to TLS to application-level request filtering.

---

Security Layers

[ Firewall ] → only expose ports 80, 443
  [ TLS ]    → strong ciphers, TLS 1.2/1.3 only, HSTS
    [ Headers ] → X-Frame-Options, CSP, HSTS, etc.
      [ Rate Limiting ] → limit_req, limit_conn
        [ IP Access ] → allow/deny rules
          [ Request Filtering ] → block bad user agents, methods, paths

---

What You Will Learn

• How to configure TLS correctly — ciphers, protocols, OCSP stapling, session tickets
• What every HTTP security header does and how to set them in Nginx
• How limit_req_zone and limit_conn_zone work for rate limiting
• How to restrict access by IP using allow and deny
• How to block malicious requests at the Nginx level

---

Topics in This Module

• TLS Configuration — SSL cert setup, cipher suites, TLS 1.2/1.3, HSTS, OCSP stapling
• HTTP Security Headers — X-Frame-Options, CSP, HSTS, X-Content-Type-Options
• Rate Limiting — limit_req_zone, burst handling, 429 responses
• IP Access Control — allow/deny rules, geo-based blocking
• Request Filtering — Block by method, user agent, malformed URLs, file extension

---

Best Practices

• Use ssl_protocols TLSv1.2 TLSv1.3; — never enable TLS 1.0 or 1.1
• Add HSTS only after you are certain HTTPS is working permanently
• Apply rate limiting to login endpoints and API routes specifically
• Block access to .env, .git, and config files via location rules
• Keep server_tokens off; — never expose Nginx version in headers

Success Checkpoint

By the end of this module you should be able to configure TLS correctly, set all important security headers, apply rate limiting to sensitive endpoints, and block common attack patterns.