NGINX must restrict the ability of individuals to launch denial-of-service (DoS) attacks against other information systems.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-278394	SRG-APP-000246	NGNX-APP-001030	SV-278394r1171934_rule	2026-01-07	1

Description
DoS is a condition in which a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. Individuals of concern can include hostile insiders or external adversaries that have successfully breached the information system and are using the system as a platform to launch cyberattacks on third parties. Applications and application developers must take the steps needed to ensure users cannot use an authorized application to launch DoS attacks against other systems and networks. For example, applications may include mechanisms that throttle network traffic so users are not able to generate unlimited network traffic via the application. Limiting system resources allocated to any user to a bare minimum may also reduce the ability of users to launch some DoS attacks. The methods employed to counter this risk will be dependent upon the application layer methods that can be used to exploit it.

Description

DoS is a condition in which a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. Individuals of concern can include hostile insiders or external adversaries that have successfully breached the information system and are using the system as a platform to launch cyberattacks on third parties. Applications and application developers must take the steps needed to ensure users cannot use an authorized application to launch DoS attacks against other systems and networks. For example, applications may include mechanisms that throttle network traffic so users are not able to generate unlimited network traffic via the application. Limiting system resources allocated to any user to a bare minimum may also reduce the ability of users to launch some DoS attacks. The methods employed to counter this risk will be dependent upon the application layer methods that can be used to exploit it.

ℹ️ Check
Determine the path to NGINX config file(s): # nginx -qT \| grep "# configuration" # configuration file /etc/nginx/nginx.conf: Note: The default NGINX configuration is "/etc/nginx/nginx.conf", though various files may also be included. Verify timeouts and send timeouts exist in config file and the timeout value of 10 seconds (or less) has been configured for client headers and body. nginx -c <path to nginx config> -qT \| grep timeout client_body_timeout 10s; client_header_timeout 10s; send_timeout 10s; If the client_header_timeout, client_body_timeout and send_timeout are unset or have values greater than 10, this is a finding.

ℹ️ Check

Determine the path to NGINX config file(s): # nginx -qT | grep "# configuration" # configuration file /etc/nginx/nginx.conf: Note: The default NGINX configuration is "/etc/nginx/nginx.conf", though various files may also be included. Verify timeouts and send timeouts exist in config file and the timeout value of 10 seconds (or less) has been configured for client headers and body. nginx -c <path to nginx config> -qT | grep timeout client_body_timeout 10s; client_header_timeout 10s; send_timeout 10s; If the client_header_timeout, client_body_timeout and send_timeout are unset or have values greater than 10, this is a finding.

✔️ Fix
Determine the path to NGINX config file(s): # nginx -qT \| grep "# configuration" # configuration file /etc/nginx/nginx.conf: Note: The default NGINX configuration is "/etc/nginx/nginx.conf", though various files may also be included. Add or modify the client_body_timeout, client_header_timeout and send_timeout directives to have a value of 10 seconds or lower. Setting this value in the http context will cover everything unless overridden in subsequent server or location contexts. client_body_timeout 10s; client_header_timeout 10s; send_timeout 10s; After saving the configuration, reload NGINX: # nginx -s reload

✔️ Fix

Determine the path to NGINX config file(s): # nginx -qT | grep "# configuration" # configuration file /etc/nginx/nginx.conf: Note: The default NGINX configuration is "/etc/nginx/nginx.conf", though various files may also be included. Add or modify the client_body_timeout, client_header_timeout and send_timeout directives to have a value of 10 seconds or lower. Setting this value in the http context will cover everything unless overridden in subsequent server or location contexts. client_body_timeout 10s; client_header_timeout 10s; send_timeout 10s; After saving the configuration, reload NGINX: # nginx -s reload