2.5.3 Ensure hidden file serving is disabled

Information

Disabling hidden files is a defense-in-depth mechanism to help prevent accidentally exposing sensitive information.

Rationale:

Disabling hidden files prevents an attacker from being able to reference a hidden file that may be put in your location and have sensitive information, like .git files.

Impact:

This may break well-known hidden files that are needed for functionality. For example, it may prevent functionality used by LetsEncrypt. To enable, configure a location exception like that shown below:

location ~ /.well-known/acme-challenge {

allow all;

}

Solution

Edit the nginx.conf file and add the following line:

location ~ /. { deny all; return 404; }

Default Value:

This is not set by default.

See Also

https://workbench.cisecurity.org/benchmarks/17381

Item Details

Category: SYSTEM AND SERVICES ACQUISITION

References: 800-53|SA-3, CSCv7|18.1

Plugin: Unix

Control ID: dc4ddf63173179481cd6e0d1d27d29b53304ba6b0a58be6db52aba8331ffe791