A combination of factors makes APIs rich targets for security attacks. We discuss methods for securing APIs throughout their lifecycle, from design and development through delivery, using WAFs, bot protection, API management tools, and API gateways.
Agile Perimeter Security with NGINX App Protect
Establishing a security perimeter around your intranet is no longer enough to protect your apps. We show how to configure NGINX App Protect to establish the perimeter around individual apps as required by today's distributed applications and Zero Trust security mode
Introducing NGINX App Protect: Advanced F5 Application Security for NGINX Plus
With NGINX App Protect, you no longer have to choose between security and performance. It combines the proven effectiveness of F5’s advanced WAF technology with the agility and performance of NGINX Plus, to address the security challenges facing modern DevOps environments.
Using the NGINX Plus Key-Value Store to Secure Ephemeral SSL Keys from HashiCorp Vault
In high-security environments, it's important to store sensitive data like SSL certificate-key pairs in memory only, not on disk. Here we show how to generate ephemeral SSL key pairs using HashiCorp Vault and store them in the in-memory NGINX Plus key-value store.
Ask NGINX | April 2019
In this installment of our "Ask NGINX" series, we discuss how NGINX and NGINX Plus work with Diffie-Hellman, support for Datagram Transport Layer Security, how to control the lifetime of content in the cache, and how to add NGINX ModSecurity WAF to an NGINX Plus subscription.
Protecting SSL Private Keys in NGINX with HashiCorp Vault
The second post of our series about protecting SSL private keys shows how to set up HashiCorp Vault to store the passwords that protect private keys, and to configure NGINX to retrieve the passwords. We also discuss using a hardware security module for even greater security.
Secure Distribution of SSL Private Keys with NGINX
We describe three progressively more secure ways to protect SSL private keys when configuring NGINX to handle HTTPS traffic: allowing read access only to the root user, encrypting keys with separately stored passwords, and distributing passwords from a central repository.
Securing Your API Ecosystem with the NGINX Controller API Management Module
The NGINX Controller API Management Module secures your APIs at every API touchpoint – authenticating and authorizing third-party client applications and developers, rate limiting API calls to mitigate DDoS attacks, and protecting backend applications that process the API calls.
PCI DSS Best Practices with NGINX Plus
It's easy to implement PCI DSS best practices, such as using new versions of TLS rather than the older SSL, encrypting upstream as well as downstream communications, and adding a WAF, with NGINX Plus. Taking these steps will help you pass PCI DSS audits. Here's how to implement them.
Trust No One: The Perils of Trusting User Input
A newly discovered security threat exploits a configuration that allows remote users to specify the server for a request in the HTTP Host header, and thus access potentially sensitive information. In this post we explain how to prevent this "cloud metadata" attack.