ScaleScaleScaleScale

Tips / Nginx


How to deny script execution inside writable directories

There are some times when your application needs to write data into some files and in order to achieve that you need to give writing permissions to certain directories like tmp, cache, logs and many others. The issue is that global writing permissions is a big security problem, because it allow anyone to upload malicious files to the webserver, hack your website, create phishing content, send tons of spam emails to everybody.

The result, is often very bad for you, because you can not only get hacked and have your website lost, you can also get blocked/banned from Google Chrome, Firefox and many other browsers, which is also not good for SEO rankings.

For an unlimited number of reasons, you must protect your writable directories, and the best way to do it using Nginx is adding the following code into your server block configuration:

# deny scripts inside writable directories
    location ~* /(images|cache|media|logs|tmp)/.*.(php|pl|py|jsp|asp|sh|cgi)$ {
    return 403;
    error_page 403 /403_error.html;
    }

Once done, restart your nginx server to apply the changes:

service nginx restart

At this time, your website should be fully protected =)

Popular search terms:

  • nginx block scripts
  • nginx deny script execution
  • nginx forbid writable file
profile

Esteban Borges

Linux Geek, Webperf Addict, Nginx Fan. CTO @Infranetworking