What is it?
Horusec-Nginx is a SAST tool created by Horusec’s team to search for vulnerabilities on Nginx projects.
Improper Restriction of Rendered UI Layers or Frames
Your Nginx file must include the X-Frame-Options header. A web application is expected to place restrictions on whether it is allowed to be rendered within frames, iframes, objects, embed or applet elements. Without the restrictions, users can be tricked into interacting with the application when they were not intending to. For more information checkout the CWE-1021 advisory.
Missing X-Content-Type-Options header
Setting this header will prevent the browser from interpreting files as a different MIME type to what is specified in the Content-Type HTTP header (e.g. treating text/plain as text/css). For more information checkout content-type options.
Missing Content-Security-Policy header
Exposure of Sensitive Information
Your Nginx file must include ‘server_tokens off;’ configuration. There are many different kinds of mistakes that introduce information exposures. The severities of the error can range widely, depending on the context in which the product operates, the type of sensitive information that is revealed, and the benefits it may provide to an attacker. For more information checkout the CWE-200 advisory.
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.