NGINX.COM

Prevent Downtime and Breaches by Securing Your Modern Apps and APIs

Today’s application landscape has changed dramatically. Modern apps are microservices that run in containers, communicate via APIs, and deploy via automated CI/CD pipelines. Everything is optimized for time to market.

DevOps teams need to integrate the non‑disruptive security controls authorized by the security team across distributed environments without slowing release velocity or performance.

NGINX App Protect is a modern app‑security solution that works seamlessly in DevOps environments as you deliver apps from code to customer. Built on F5’s market‑leading WAF, our software runs natively on NGINX Plus and integrates security controls into your apps.

NGINX-App-Protect-what-is@2x

Why NGINX App Protect?

Secured lock with check mark icon

Deploy App‑Centric Security

Push high‑performing, scalable, and proven security closer to your apps, protecting against revenue‑impacting attacks and data thefts

Microservices icon

Protect Modern Apps

Run on NGINX Plus as a WAF that enables consistent app security controls for web applications, microservices, containers, and APIs

Reduce Costs with Automation

Manage and automate approved security controls via CI/CD pipelines, removing workflow bottlenecks and supporting DevOps

How Do We Help You?

Save Time with Seamless NGINX Integration

Are you looking to add a WAF and advanced application security quickly to your NGINX Plus instances?

NGINX App Protect:

  • Enables strong security controls integrated seamlessly with NGINX Plus
  • Outperforms other WAFs for improved user experience
  • Reduces complexity and tool sprawl while delivering modern apps

Secure Apps with Rapid Threat Defense and Analytics

Want scalable, enterprise‑grade security that’s faster and more effective than ModSecurity?

NGINX App Protect:

  • Provides expanded security beyond basic signatures to ensure adequate controls
  • Utilizes F5 app-security technology for efficacy superior to ModSecurity and others
  • Builds on proven F5 expertise, so you can confidently run in “blocking” mode in production
  • Offers high‑confidence signatures for extremely low false positives
  • Increases visibility, integrating with third‑party analytics solutions

Make Security Agile with DevOps Integration

Need to automate security controls with Infrastructure-as-Code built into your CI/CD pipeline?

NGINX App Protect:

  • Integrates security and WAF natively into the CI/CD pipeline
  • Deploys as a lightweight software package that is agnostic of underlying infrastructure
  • Facilitates declarative policies for “security as code” and integration with DevOps tools
  • Decreases developer burden and provides feedback loop for quick security remediation
  • Accelerates time to market and reduces costs with DevSecOps‑automated security

Technical Specifications

Cloud Platforms

Amazon Web Services
Google Cloud Platform Logo
Microsoft Azure Logo

Containers

Architectures

ARM Logo
PowerPC Logo
x86 Logo

Operating Systems

CentOS
Debian

Compare Solutions

FeatureNGINX ModSecurity WAFNGINX App Protect
Signatures
Trustwave
F5 (with free updates)
Runs on
NGINX Plus, NGINX Open Source
NGINX Plus
Performance
    Requests per second
Low
Up to 20x better
    Latency
High
4x better
Protection
    Data guard
‘Yes’
    Sensitive data signature
‘Yes’
API security
    Max JSON data length
‘Yes’
    Max value length
‘Yes’
    Max structure depth
‘Yes’
    Max array length
‘Yes’
    JSON parsing error tolerance
‘Yes’
    Basic gRPC and GraphQL
‘Yes’
Evasion techniques
‘Yes’
Command execution attacks
    Linux commands 
Partial
‘Yes’
    Windows commands 
‘Yes’
Detection evasion
    Alternative datastream access
‘Yes’
    HTTP Desync attack attempt/request
‘Yes’
‘Yes’
    Path traversal
‘Yes’
‘Yes’
Parser attack
    Cookie not RFC‑compliant
‘Yes’
    Malformed JSON
‘Yes’
    Malformed XML
‘Yes’
‘Yes’
    Null in request
‘Yes’
‘Yes’
    Wrong HTTP protocol version
‘Yes’
‘Yes’
Predictable resource location
‘Yes’
Server‑side code injection
    Insecure deserialization – Node.js
Partial
‘Yes’
    Insecure deserialization  – PHP
Partial
‘Yes’
SQL injection
    Authentication bypass SQL injection
‘Yes’
    Blind SQL injection
Partial
‘Yes’
    MongoDB injection
Partial
‘Yes’
    Integer field union SQL injection
Partial
‘Yes’
Server‑side request forgery (SSRF) attempt
‘Yes’
Cross‑site scripting (XSS)
    HTML attribute injection
Partial
‘Yes’
    HTML tag injection
Partial
‘Yes’
    JavaScript injection
Partial
‘Yes’