nginx-hardened-fips
Fips
Hardened
Infra
Stig
docker pull reg.mini.dev/nginx-hardened-fips
Fips
Hardened
Infra
Stig
Updated 6 days ago
docker pull reg.mini.dev/nginx-hardened-fips
CIS NGINX
CIS NGINX Compliance
100%
Passed
Scan Date
Image Tag
Checks
Analyzed
27Passed
27Failed
0CIS NGINX Benchmark v3.0.0
Ensure NGINX is installed
CIS ID
1.1.1Status
Passed
Notes
Minimus builds and tests its images to ensure the correct packages are installed and the image functions as expected.
Ensure package manager repositories are properly configured
CIS ID
1.2.1Status
Passed
Notes
Minimus builds its images directly from source and manages its own internal CI/CD pipelines. Learn about our architecture
Ensure the latest software package is installed
CIS ID
1.2.2Status
Passed
Notes
Minimus updates the image's NGINX package regularly to incorporate the latest official security releases and validates versions against supported vendor baselines. View the Minimus new version SLA for further information.
Ensure only required dynamic modules are loaded
CIS ID
2.1.1Status
Passed
Notes
Minimus ensures that only required dynamic modules are loaded and removes all unnecessary load_module directives.
Ensure NGINX is run using a non-privileged, dedicated service account
CIS ID
2.2.1Status
Passed
Notes
Configured to run as a non-root user.
Ensure the NGINX service account is locked
CIS ID
2.2.2Status
Passed
Notes
Configured to lock the NGINX service account.
Ensure the NGINX service account has an invalid shell
CIS ID
2.2.3Status
Passed
Hardened configuration
Notes
Configured to ensure the NGINX process user uses a non-interactive shell.
Ensure NGINX directories and files are owned by root
CIS ID
2.3.1Status
Passed
Notes
The image's configuration files are owned by root.
Ensure keepalive_timeout is 10 seconds or less, but not 0
CIS ID
2.4.3Status
Passed
Hardened configuration
Notes
Configured with a keepalive_timeout that is no more than 10 seconds (but not 0).
Ensure send_timeout is set to 10 seconds or less, but not 0
CIS ID
2.4.4Status
Passed
Hardened configuration
Notes
Configured with a send_timeout that is no more than 10 seconds (but not 0).
Ensure server_tokens is set to off
CIS ID
2.5.1Status
Passed
Hardened configuration
Notes
Configured to ensure server_tokens directive is off to disable version disclosure.
Ensure default error and index.html pages do not reference NGINX
CIS ID
2.5.2Status
Passed
Notes
Configured to disable NGINX branding disclosure by replacing default error and index pages.
Ensure hidden file serving is disabled
CIS ID
2.5.3Status
Passed
Hardened configuration
Notes
Configured to disable hidden file serving.
Ensure detailed logging is enabled
CIS ID
3.1Status
Passed
Notes
Configured to ensure logs use a detailed format including key request information.
Ensure access logging is enabled
CIS ID
3.2Status
Passed
Notes
Configured to ensure access logs are properly defined with appropriate format and detail.
Ensure error logging is enabled and set to the info logging level
CIS ID
3.3Status
Passed
Notes
Configured to ensure error logging is enabled with an appropriate level of detail.
Ensure only modern TLS protocols are used
CIS ID
4.1.4Status
Passed
Hardened configuration
Notes
Configured to ensure only TLSv1.3 is enabled. TLSv1.2 or older are disabled.
Disable weak ciphers
CIS ID
4.1.5Status
Passed
Hardened configuration
Notes
Implicitly satisfied when only TLSv1.3 is enabled (see 4.1.4), as weak cipher configuration is not applicable.
Ensure awareness of TLS 1.3 new Diffie-Hellman parameters
CIS ID
4.1.6Status
Passed
Hardened configuration
Notes
Implicitly satisfied by the configuration of TLSv1.3 only (see 4.1.4), since it uses pre-defined, standardized ECDHE/FFDHE groups. Minimus also verifies ssl_dhparam is absent.
Ensure secure session resumption is enabled
CIS ID
4.1.11Status
Passed
Notes
Configured with TLSv1.3 which uses PSK-based resumption with forward secrecy.
Ensure only approved HTTP methods are allowed
CIS ID
5.1.2Status
Passed
Hardened configuration
Notes
Restricts HTTP methods to those required by the application (e.g., GET, POST, HEAD) and blocks dangerous methods like DELETE, PUT, TRACE.
Ensure timeout values for reading the client header and body are set correctly
CIS ID
5.2.1Status
Passed
Hardened configuration
Notes
Set to mitigate slow-read and slow-write DoS attacks. Enforces a 60 second range based on the CIS example values for client_header_timeout, client_body_timeout, and send_timeout.
Ensure the maximum request body size is set correctly
CIS ID
5.2.2Status
Passed
Hardened configuration
Notes
Checks for client_max_body_size to ensure a restrictive default in the HTTP block.
Ensure the maximum buffer size for URIs is defined
CIS ID
5.2.3Status
Passed
Notes
The buffer size for request headers is controlled by large_client_header_buffers. CIS states its default value is secure. Avoid custom values as they present a potential availability or security risk.
Ensure X-Content-Type-Options header is configured and enabled
CIS ID
5.3.1Status
Passed
Hardened configuration
Notes
The X-Content-Type-Options: nosniff header prevents browsers from MIME-sniffing responses, reducing drive-by download attacks. It is set to `always` so the header also appears on error pages.
Ensure that Content Security Policy (CSP) is enabled and configured properly
CIS ID
5.3.2Status
Passed
Hardened configuration
Notes
CSP restricts resource origins to mitigate against XSS, data injection, and clickjacking. It is configured to contain restrictive default-src ('self' or 'none') and contains frame-ancestors (clickjacking protection). It does not contain unsafe-inline or unsafe-eval.
Ensure the Referrer Policy is enabled and configured properly
CIS ID
5.3.3Status
Passed
Hardened configuration
Notes
The Referrer-Policy header controls how much URL information is leaked to third parties via the Referer header. Sets the Referrer-Policy header with `always` and strict-origin-when-cross-origin or no-referrer.
Out of scope checks
Additional checks
The following checks are not applicable to the Minimus NGINX image:
Sections 2.3.2, 2.3.3, 2.4.1, 2.4.2 — Incompatible with non-root container execution. These checks require root ownership or privileged port binding, which conflicts with CIS Docker Benchmark 4.1.
Sections 2.5.4, 3.4, 4.1.1–4.1.3, 4.1.7–4.1.10, 4.1.12, 5.1.1, 5.2.4, 5.2.5 — Deployment-time or runtime configuration. These checks depend on user-provided TLS certificates, reverse proxy setup, IP rules, or connection limits that cannot be pre-configured in a generic base image.
Status
Out of scope