rules_disabled
The "rules_disabled" directive prevents the NAXSI module from enforcing security rules on the specified context.
Description
The "rules_disabled" directive, used within the Nginx Anti XSS & SQL Injection module (NAXSI), is aimed at providing a mechanism to disable the application of security rules for specific contexts such as HTTP, server, location, or limit_except. This directive is particularly useful when testing or developing applications where strict adherence to these security rules may hinder legitimate requests or when certain paths or operations need to bypass security inspection temporarily. When applied, NAXSI will not evaluate the incoming requests against the predefined patterns and won't block any potential XSS or SQL injection attempts that would ordinarily be caught by its rules.
This directive does not accept any arguments, making its implementation straightforward. It simply toggles the rule-checking functionality on or off based on its presence in the specified context. However, it is critical for administrators to use this directive judiciously. Disabling rules can expose applications to vulnerabilities if not managed carefully, especially in a production environment where exposure to malicious traffic is a concern.
Config Example
http {
rules_disabled;
}
server {
location /test {
rules_disabled;
}
}Using this directive in a context where it is not applicable may lead to configuration errors or unexpected behavior.
Disabling rules could expose the application to XSS and SQL injection attacks if not properly managed.