5.2.3 Ensure the maximum buffer size for URIs is defined

Information

The large_client_header_buffers directive defines the number and size of buffers used within the URI. A request cannot exceed the size of this buffer when this directive is configured. The large_client_header_buffers directive should be set to restrict buffer usage. The number of buffers should generally set to two and the length be set to 1K; however, this may not be a good fit for your application and may need to be set differently.

Rationale:

The large_client_header_buffers directive may assist in preventing buffer overflow attacks that leverage long URI query parameters.

Solution

Open your nginx.conf file and locate your server or HTTP blocks. This may be added to the HTTP block for all configurations or the server block for more specific configurations to meet your needs. Add the below line to implement this recommendation:

large_client_header_buffers 2 1k;

Default Value:

large_client_header_buffers 4 8k;

See Also

https://workbench.cisecurity.org/benchmarks/17381

Item Details

Category: SYSTEM AND SERVICES ACQUISITION

References: 800-53|SA-3, CSCv7|18.1

Plugin: Unix

Control ID: 6f1cdc6b8deb1125d42bbe25367ba4f7f092a16a4ec40b458fbbd6e76c2772dc