DeniedUrl
The DeniedUrl directive specifies a list of URL patterns that should be blocked by the NGINX Anti XSS & SQL Injection module.
Description
The DeniedUrl directive is part of the NGINX Anti XSS & SQL Injection module, also known as Naxsi. This directive allows administrators to define one or more URL patterns that should be denied access. When a request matches any of the specified patterns, Naxsi will block the request, preventing potential XSS and SQL injection attacks. Patterns can include various characters and symbols that are common in malicious requests, such as '<' and '|'. The directive enhances the security posture of NGINX by acting as a firewall that drops requests by default unless explicitly allowed through other configurations.
The directive accepts one or more arguments, allowing for flexibility in specifying complex patterns. Each argument can be any string or regular expression that corresponds to the URLs you wish to block. When multiple patterns are used, they should be separated by whitespace, and Naxsi will process each one according to its defined rules. This capability ensures that an administrator can dynamically respond to the changing landscape of web threats by updating the denied patterns without modifying the core application logic or deploying additional software.
Config Example
http {
server {
location / {
DeniedUrl /admin;
DeniedUrl /api/v1/*;
DeniedUrl "*dangerous*";
}
}
}Ensure that regex patterns are correctly formatted; otherwise, they may not evaluate as expected.
Be cautious not to block legitimate requests by overly broad patterns.
Test configurations in a safe environment before deploying to production, as blocking URLs can disrupt application functionality.