NGINX must separate API maintenance sessions from other network sessions within the system by logically separated communications paths.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-278409	SRG-APP-000880	NGNX-APP-003060	SV-278409r1171979_rule	2026-01-07	1

Description
Nonlocal maintenance and diagnostic activities are conducted by individuals who communicate through either an external or internal network. Communications paths can be logically separated using encryption. Satisfies: SRG-APP-000880, SRG-APP-000039

ℹ️ Check
If not using the NGINX API, this is Not Applicable. Determine path to NGINX config file: # nginx -qT \| grep "# configuration" # configuration file /etc/nginx/nginx.conf: Note: The default NGINX configuration is "/etc/nginx/nginx.conf", though various files may also be included. Check that the nginx.conf file contains the API directive and a separate listen address: http { server { listen 192.168.0.1:80; location / { proxy_pass http://backend; } location /api { api write=on; } } } If the API is running on the same network as production traffic, this is a finding.

ℹ️ Check

If not using the NGINX API, this is Not Applicable. Determine path to NGINX config file: # nginx -qT | grep "# configuration" # configuration file /etc/nginx/nginx.conf: Note: The default NGINX configuration is "/etc/nginx/nginx.conf", though various files may also be included. Check that the nginx.conf file contains the API directive and a separate listen address: http { server { listen 192.168.0.1:80; location / { proxy_pass http://backend; } location /api { api write=on; } } } If the API is running on the same network as production traffic, this is a finding.

✔️ Fix
Configure the API directive to use a separate listen address from production traffic: http { server { listen 192.168.0.1:80; location / { proxy_pass http://backend; } } server { listen 10.0.0.1:80; location /api { api write=on; } } } After saving the updated config, restart NGINX: nginx -s reload.