Gixy: NGINX Security & Config Hardening Scanner

Overview

Gixy is an open source NGINX analyzer that reviews your configuration for security risks, misconfigurations, and missed hardening opportunities—before they ever reach production.

You can use Gixy to run automated NGINX configuration security audits, and harden your nginx.conf against SSRF, HTTP response splitting, host header spoofing, version disclosure, and other vulnerabilities, as well as misconfigurations which lead to degraded performance and slow nginx servers.

Why Gixy Matters for NGINX Security & Compliance

Unlike nginx -t, which only validates syntax, Gixy analyzes your configuration to surface unhardened areas, vulnerabilities, and performance pitfalls. Run it locally or in CI/CD on every change for automated NGINX security and compliance checks.

Currently supported Python versions are 3.6 through 3.13.

Platform Note

Gixy is well tested only on GNU/Linux and macOS; other operating systems may have some issues.

Harden NGINX with maintained RPMs

Use NGINX Extras by GetPageSpeed for continuously updated NGINX and modules on RHEL/CentOS/Alma/Rocky. Learn more.

What Gixy Can Detect

Gixy can find various NGINX configuration security issues, as well as NGINX configuration performance issues, based on your nginx.conf and other NGINX configuration files. The following checks are available to detect these misconfigurations:

Security Vulnerabilities

• Server Side Request Forgery (SSRF)
• HTTP Response Splitting
• Request's Host Header Forgery
• Problems with Referrer/Origin Validation
• Path Traversal via Misconfigured Alias
• Proxy Pass Path Normalization Issues
• Regular Expression Denial of Service (ReDoS)

Header & Response Security

• Redefining Response Headers by "add_header" Directive
• Multiline Response Headers
• Setting Content-Type via add_header
• Missing or Weak HSTS Header

SSL/TLS Security

• Weak SSL/TLS Configuration
• HTTP/2 Misdirected Request Safeguard

Access Control & Validation

• none in valid_referers
• Allow Specified Without Deny
• Return Bypasses allow/deny

Configuration Best Practices

• If is Evil When Used in Location Context
• Using Insecure Values for server_tokens
• Using External DNS Nameservers
• Static DNS Resolution in proxy_pass
• Missing default_server Flag
• Error Log Disabled
• Hash Directive Without Default

Regex & Pattern Issues

• Unanchored Regex in Location
• Invalid Regex Capture Groups

Performance Checks

• try_files Without open_file_cache
• Worker Connections vs rlimit
• Low keepalive_requests Value

Something not detected? Please open an issue on our GitHub repository with the "new check" label.

Installation

CentOS/RHEL and other RPM-based Systems

yum -y install https://extras.getpagespeed.com/release-latest.rpm
yum -y install gixy

Other Systems (pip)

Gixy is distributed on PyPI. The best way to install it is with pip:

pip install gixy-ng

Run Gixy and check results:

gixy

Usage

By default, Gixy will try to analyze Nginx configuration placed in /etc/nginx/nginx.conf.

But you can always specify needed path:

$ gixy /etc/nginx/nginx.conf

==================== Results ===================

Problem: [http_splitting] Possible HTTP-Splitting vulnerability.
Description: Using variables that can contain "\n" may lead to http injection.
Additional info: https://github.com/dvershinin/gixy/blob/master/docs/ru/plugins/httpsplitting.md
Reason: At least variable "$action" can contain "\n"
Pseudo config:
include /etc/nginx/sites/default.conf;

    server {

        location ~ /v1/((?<action>[^.]*)\.json)?$ {
            add_header X-Action $action;
        }
    }


==================== Summary ===================
Total issues:
    Unspecified: 0
    Low: 0
    Medium: 0
    High: 1

Or skip some checks:

$ gixy --skips http_splitting /etc/nginx/nginx.conf

==================== Results ===================
No issues found.

==================== Summary ===================
Total issues:
    Unspecified: 0
    Low: 0
    Medium: 0
    High: 0

Or something else, you can find all other gixy arguments with the help command: gixy --help

You can also make gixy use pipes (stdin), like so:

echo "resolver 1.1.1.1;" | gixy -

Docker Usage

Gixy is available as a Docker image from the Docker Hub. To use it, mount the configuration that you want to analyze as a volume and provide the path to the configuration file when running the Gixy image.

$ docker run --rm -v `pwd`/nginx.conf:/etc/nginx/conf/nginx.conf getpagespeed/gixy /etc/nginx/conf/nginx.conf

If you have an image that already contains your nginx configuration, you can share the configuration with the Gixy container as a volume.

$  docker run --rm --name nginx -d -v /etc/nginx
nginx:alpinef68f2833e986ae69c0a5375f9980dc7a70684a6c233a9535c2a837189f14e905

$  docker run --rm --volumes-from nginx dvershinin/gixy /etc/nginx/nginx.conf

==================== Results ===================
No issues found.

==================== Summary ===================
Total issues:
    Unspecified: 0
    Low: 0
    Medium: 0
    High: 0

Contributing

Contributions to Gixy are always welcome! You can help us in different ways:

• Open an issue with suggestions for improvements and errors you're facing in the GitHub repository;
• Fork this repository and submit a pull request;
• Improve the documentation.

Code Guidelines

• Python code style should follow PEP 8 standards whenever possible;
• Pull requests with new checks must have unit tests for them.

Community Guidelines

• Be respectful and constructive in discussions;
• This project uses AI-assisted development - disparaging remarks about AI tooling are unwelcome;
• Focus on the code and ideas, not the tools used to create them.