NGINX.COM
Web Server Load Balancing with NGINX Plus

Prevent Downtime and Breaches by Securing Your Modern Apps and APIs

Today’s application landscape has changed dramatically. Modern apps are microservices that run in containers, communicate via APIs, and deploy via automated CI/CD pipelines. Everything is optimized for time to market.

DevOps teams need to integrate the non‑disruptive security controls authorized by the security team across distributed environments without slowing release velocity or performance.

NGINX App Protect is a modern app‑security solution that works seamlessly in DevOps environments as you deliver apps from code to customer. Built on F5’s market‑leading WAF, our software runs natively on NGINX Plus and integrates security controls into your apps.

NGINX-App-Protect-what-is@2x

Why NGINX App Protect?

Secured lock with check mark icon

Deploy App‑Centric Security

Push high‑performing, scalable, and proven security closer to your apps, protecting against revenue‑impacting attacks and data thefts

Microservices icon

Protect Modern Apps

Run on NGINX Plus as a WAF that enables consistent app security controls for web applications, microservices, containers, and APIs

Reduce Costs with Automation

Manage and automate approved security controls via CI/CD pipelines, removing workflow bottlenecks and supporting DevOps

How Do We Help You?

Save Time with Seamless NGINX Integration

Are you looking to add a WAF and advanced application security quickly to your NGINX Plus instances?

NGINX App Protect:

  • Enables strong security controls integrated seamlessly with NGINX Plus
  • Outperforms other WAFs for improved user experience
  • Reduces complexity and tool sprawl while delivering modern apps

Secure Apps with Rapid Threat Defense and Analytics

Want scalable, enterprise‑grade security that’s faster and more effective than ModSecurity?

NGINX App Protect:

  • Provides expanded security beyond basic signatures to ensure adequate controls
  • Utilizes F5 app-security technology for efficacy superior to ModSecurity and others
  • Builds on proven F5 expertise, so you can confidently run in “blocking” mode in production
  • Offers high‑confidence signatures for extremely low false positives
  • Increases visibility, integrating with third‑party analytics solutions

Make Security Agile with DevOps Integration

Need to automate security controls with Infrastructure-as-Code built into your CI/CD pipeline?

NGINX App Protect:

  • Integrates security and WAF natively into the CI/CD pipeline
  • Deploys as a lightweight software package that is agnostic of underlying infrastructure
  • Facilitates declarative policies for “security as code” and integration with DevOps tools
  • Decreases developer burden and provides feedback loop for quick security remediation
  • Accelerates time to market and reduces costs with DevSecOps‑automated security

Technical Specifications

Cloud Platforms

Amazon Web Services
Google Cloud Platform Logo
Microsoft Azure Logo

Containers

Architectures

x86 Logo

Operating Systems

CentOS
Debian

For details, see the NGINX App Protect Administration Guide.

Compare Solutions

FeatureNGINX ModSecurity WAFNGINX App Protect
Signatures
Trustwave
F5 (with free updates)
Runs on
NGINX Plus, NGINX Open Source
NGINX Plus
Performance
‘Yes’
    Resource consumption
High
Low
Response Protection
Sensitive data leakage protection
‘Yes’
API security
    Max JSON data length
‘Yes’
    Max value length
‘Yes’
    Max structure depth
‘Yes’
    Max array length
‘Yes’
    Malformed JSON
‘Yes’
    Malformed XML
‘Yes’
    Payload injection
‘Yes’
Evasion techniques
Partial
‘Yes’
Command execution attacks
    Linux commands 
Partial
‘Yes’
    Windows commands 
‘Yes’
Parser attack
    Cookie RFC compliance
‘Yes’
    Null in request
‘Yes’
‘Yes’
    Wrong HTTP protocol version
‘Yes’
‘Yes’
Predictable resource location
‘Yes’
Server‑side code injection
    Insecure deserialization – Node.js
Partial
‘Yes’
    Insecure deserialization  – PHP
Partial
‘Yes’
Injection
    Authentication bypass SQL injection
‘Yes’
    Blind SQL injection
Partial
‘Yes’
    MongoDB injection
Partial
‘Yes’
    Integer field union SQL injection
Partial
‘Yes’
Server‑side request forgery (SSRF) attempt
‘Yes’
‘Yes’
Cross‑site scripting (XSS)
    HTML attribute injection
Partial
‘Yes’
    HTML tag injection
Partial
‘Yes’
    JavaScript injection
Partial
‘Yes’
Support
Only with ModSec paid
Included in the product

Resources

Datasheet

NGINX App Protect

Read more
Blog

Introducing NGINX App Protect: Advanced F5 Application Security for NGINX Plus

Read more

Free Trial Request

Read more
Documentation

NGINX App Protect Documentation

Read more
NGINX Plus Free Trial
NGINX Controller Free Trial
Ask us a question