IgnoreCIDR

The IgnoreCIDR directive in the NGINX Anti XSS & SQL Injection module (NAXSI) allows for the exclusion of specific IP ranges from being subjected to security rules designed to prevent XSS and SQL injection attacks. This directive is particularly useful when you want to allow internal traffic or certain trusted clients that might otherwise trigger the security filters in place. By specifying one or more CIDR notations, server administrators can effectively tune their security settings to avoid false positives from legitimate requests that originate from these IP ranges.

Each entry in the IgnoreCIDR directive must follow the standard CIDR format, which includes an IP address followed by a slash and a number indicating the number of bits in the subnet mask. For instance, 192.168.1.0/24 would ignore all IP addresses in the range from 192.168.1.0 to 192.168.1.255. This directive can be included in various contexts such as http, server, location, and limit_except, which provides flexibility in defining where the exclusion should apply. Multiple CIDR entries can be specified in a single directive to streamline configuration.

It is important to note that while using the IgnoreCIDR directive can help in reducing false positives, care should be taken to avoid excluding ranges that might inadvertently open up vulnerabilities. Therefore, it is advisable to regularly audit and validate the specified CIDR ranges against the security policies of the organization. Proper logging and monitoring of requests from ignored IP addresses is also recommended to detect any unusual activity that may indicate a security breach.