STIGhubSTIGhub
STIGsSearchCompareAbout

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • VPAT
  • DISA STIG Library
STIGs updated 13 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to STIGs

F5 NGINX Security Technical Implementation Guide

Version

V1R1

Release Date

Jan 7, 2026

SCAP Benchmark ID

F5_NGINX_STIG

Total Checks

32

Tags

web
CAT I: 2CAT II: 30CAT III: 0

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKLExport CSVExport JSON

Checks (32)

V-278380MEDIUMNGINX must limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types.V-278381HIGHNGINX must use TLS 1.2, at a minimum, to protect data confidentiality using remote access.V-278382MEDIUMThe NGINX service account must be configured to not have shell access.V-278383MEDIUMThe NGINX service account must be configured to not have admin group access.V-278384MEDIUMNGINX must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the application.V-278385MEDIUMNGINX must provide audit records for DOD-defined auditable events.V-278386MEDIUMNGINX must allow only the information system security manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.V-278387MEDIUMNGINX must prevent the execution of unapproved modules.V-278388MEDIUMNGINX must protect audit information from unauthorized access.V-278389MEDIUMNGINX must be configured to prohibit or restrict using ports, protocols, and/or services.V-278390MEDIUMNGINX must implement replay-resistant authentication mechanisms for network access.V-278391MEDIUMNGINX must be configured to use a Certificate Revocation List (CRL) for certificate path validation and revocation. (Online Certificate Status Protocol [OCSP] is the preferred configuration.)V-278392MEDIUMNGINX, when using PKI-based authentication, must enforce authorized access to the corresponding private key.V-278393MEDIUMNGINX must identify prohibited mobile code.V-278394MEDIUMNGINX must restrict the ability of individuals to launch denial-of-service (DoS) attacks against other information systems.V-278395MEDIUMNGINX must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.V-278396HIGHNGINX must off-load audit records to a central log server.V-278397MEDIUMNGINX must restrict access to configuration files.V-278398MEDIUMNGINX must be configured with a deny-all, permit-by-exception policy to allow the execution of authorized software programs.V-278399MEDIUMNGINX must be configured to require SSL sessions to reauthenticate no longer than 15 minutes.V-278400MEDIUMNGINX must accept Personal Identity Verification (PIV) credentials.V-278401MEDIUMNGINX must be configured to expire cached authenticators after an organization-defined time period.V-278402MEDIUMNGINX must be configured to pass security attributes to proxies.V-278403MEDIUMNGINX must only allow using DOD approved certificate authorities for PKI.V-278404MEDIUMNGINX must protect against denial-of-service (DoS) attacks.V-278405MEDIUMNGINX must be configured to use FIPS-approved algorithms to protect the confidentiality and integrity of transmitted information.V-278406MEDIUMNGINX must be configured to use Online Certificate Status Protocol (OCSP) for certificate path validation and revocation. (OCSP is the preferred configuration.)V-278407MEDIUMNGINX must be configured to use a FIPS-validated cryptographic module for confidentiality and integrity.V-278408MEDIUMThe NGINX service account must be configured to lock changes to the password.V-278409MEDIUMNGINX must separate API maintenance sessions from other network sessions within the system by logically separated communications paths.V-278410MEDIUMNGINX must generate, manage, and protect from disclosure and misuse the cryptographic keys that protect access tokens.V-278411MEDIUMNGINX must revoke access tokens in accordance with organization-defined identification and authentication policy.