Status Page Exposed

Gixy Check ID: status_page_exposed

The stub_status module exposes NGINX server metrics including active connections, requests handled, and connection states. Without proper IP restrictions, this information is accessible to anyone and can aid attackers in reconnaissance.

Bad Example

location /status {
    stub_status;
}

Or with allow but missing deny all:

location /status {
    stub_status;
    allow 10.0.0.0/8;
}

Harden NGINX with maintained RPMs

Use NGINX Extras by GetPageSpeed for continuously updated NGINX and modules on RHEL/CentOS/Alma/Rocky. Learn more.

Good Example

location = /nginx-status {
    stub_status on;
    allow 127.0.0.1;
    allow ::1;
    deny all;
}

Always pair stub_status with explicit allow directives for trusted IPs and a deny all to block everyone else.