Created
December 10, 2025 23:55
-
-
Save azizoid/f0c827a43ca0930d845f884e6d4e76ee to your computer and use it in GitHub Desktop.
nginx custom command
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Security headers | |
| add_header X-Frame-Options "SAMEORIGIN" always; | |
| add_header X-Content-Type-Options "nosniff" always; | |
| add_header X-XSS-Protection "1; mode=block" always; | |
| add_header Referrer-Policy "strict-origin-when-cross-origin" always; | |
| # Block suspicious user agents (scanners/bots) | |
| if ($http_user_agent ~* "(sqlmap|nikto|nmap|masscan|acunetix|netsparker|nessus|openvas|burpsuite|w3af|dirb|gobuster|wfuzz|ffuf)") { | |
| return 403; | |
| } | |
| # Block empty user agent | |
| if ($http_user_agent = "") { | |
| return 403; | |
| } | |
| # Block suspicious paths | |
| location ~ ^/(admin|wp-admin|wp-login|phpmyadmin|\.git|\.svn|\.env|config\.php|api/v1/login|api/login|login)$ { | |
| return 403; | |
| } | |
| # Block POST to suspicious endpoints | |
| location ~ ^/(_next/formaction|api/formaction|formaction|actions|server-actions|apps)$ { | |
| if ($request_method = POST) { | |
| return 405; | |
| } | |
| } | |
| # Block suspicious query parameters (SQL injection, XSS) | |
| if ($args ~* "(union|select|insert|delete|drop|exec|script|<script|javascript:|onerror=|onload=)") { | |
| return 403; | |
| } | |
| # Block suspicious file extensions | |
| location ~ \.(env|git|svn|htaccess|htpasswd|ini|log|sh|sql|bak|backup|old|tmp|temp)$ { | |
| return 403; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment