NAXSI is an open-source, high performance, low rules maintenance web application firewall (WAF) for Nginx.
NAXSI is based on a white list approach. Instead of blocking the attacks it knows, and accepting the rest of the traffic, this WAF blocks all flows by default and only accepts the ones it knows are legitimate. It therefore behaves like a DROP-by-default firewall.
This method allows you to filter users’ requests at the level of the reverse proxy Nginx to protect websites and applications from potential attacks.
Key Features
- Very fast in operation.
- Good resilience against unknown/obfuscated attacks.
- Good performances (low memory footprint, minimal runtime processing).
- No need for updates of “attack” signatures. It therefore cannot be circumvented by an “unknown” attack pattern.
- White list approach. A nxutil tool helps administrators create a suitable white list.
- Signatures apply only to exceptions, not positive matches. which allows improved resilience against obfuscated / complex attack. However, NAXSI specifically targets only a small subset of modern web app vulnerabilities (XSS, SQLI, R/LFI).
- Uses a small subset of simple scoring rules.
- Strongly assisted learning process.
- Administration requires less knowledge than many WAFs.
- Support for HTTP2.
- Support of libinjection as a virtual patching method.
- Support for RAW_BODY match-zone: Allow rule creation on unknown content-type(s)
- Support for regex matchzones.
- Update independent.
- Similar rule syntax to ModSecurity.
NAXSI lacks some important features that are found in ModSecurity such as audit logging. It also needs to improve its robustness.
Website: github.com/wargio/naxsi
Support:
Developer: NBS System
License: GNU General Public License v3.0
Nginx is an incredibly efficient and powerful HTTP server; a genuine alternative to Apache. Nginx has a single-threaded, asynchronous request-handling model which contrasts with Apache’s process-per-connection. A single Nginx process can scale to handle thousands of concurrent requests while maintaining a minimal memory footprint.
NAXSI is written in C. Learn C with our recommended free books and free tutorials.
Related Software
| Web Application Firewalls | |
|---|---|
| ModSecurity | Web Application Firewall Engine for Apache, IIS and Nginx |
| BunkerWeb | Next-generation Web Application Firewall |
| NAXSI | Nginx Anti XSS & SQL Injection |
| Coraza | Enterprise grade, Golang port of ModSecurity |
| open-appsec | Automatic web application and API security using machine learning |
| lua-resty-waf | High Performance WAF Built on the OpenResty Stack |
Read our verdict in the software roundup.
 Explore our comprehensive directory of recommended free and open source software. Our carefully curated collection spans every major software category.This directory is part of our ongoing series of informative articles for Linux enthusiasts. It features hundreds of detailed reviews, along with open source alternatives to proprietary solutions from major corporations such as Google, Microsoft, Apple, Adobe, IBM, Cisco, Oracle, and Autodesk. You’ll also find interesting projects to try, hardware coverage, free programming books and tutorials, and much more. Discovered a useful open source Linux program that we haven’t covered yet? Let us know by completing this form. |