Skip to content

Security warnings#284

Open
DemiMarie wants to merge 3 commits into
nginx:mainfrom
DemiMarie:security-warnings
Open

Security warnings#284
DemiMarie wants to merge 3 commits into
nginx:mainfrom
DemiMarie:security-warnings

Conversation

@DemiMarie

Copy link
Copy Markdown

Proposed changes

Nginx has various security limitations:

  • Modules that proxy to upstream servers (HTTP/1.x, FastCGI, uwsgi, SCGI) assume that the upstream server is trusted
  • Modules that set headers, trailers, URLs, or request methods do not check that the result is valid.

Checklist

Before creating a PR, run through this checklist and mark each as complete:

NGINX does not try to protect itself against untrusted upstream servers.
Document this.
It's a severe security vulnerability in misconfigured NGINX instances.
It is a severe vulnerability affecting misconfigured NGINX instances.
@pluknet

pluknet commented Jul 9, 2026

Copy link
Copy Markdown
Collaborator

While I generally support the idea to explicitly document a concept of trusted backends (and other similar origins) to address the progressively decreasing entry level, this should be done is a more correct and fine-grained way, avoiding bold / unsubstantiated statements and other FUD.
Also, the nginx reference documentation is not a bug-tracker or Beginner's guide, something more concise should be enough.

I will keep it open in order to not forget to do this properly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants