NAXSI: an application firewall for NGINX


NAXSI is an open source IT security tool that analyses, filters and secures the traffic that comes to your website. NAXSI is an application firewall that protects you against the most common online cyberattacks by detecting and blocking suspicious behaviour in real time. It is installed by default for our clients who use the high-security hosting solution CerberHost.

Application firewall: why should you use one, and why NAXSI

The importance of an application firewall

Attacks targeting websites and applications can have a variety of impacts such as stolen data, using your servers’ resources, or industrial espionage. Your sites and applications are choice targets for hackers.

They are easily accessible and offer a variety of cyber attack vectors if they are not well protected:

  • code injection via online forms
  • stealing of login IDs
  • poor access management
  • unsecured configurations

OWASP, a global non-profit organisation, lists the most common risks.

All these threats can be addressed directly: by immediately updating software when a flaw is announced, having good configurations, and completely securing the application’s code. However, making sure your respect all of these best security practices can be complicated, especially since they frequently change in response to new types of attacks.

An application firewall like NAXSI protects you against most of these threats, including those on OWASP’s Top 10, whatever the underlying level of security. It is installed on your reverse proxies and analyses queries sent by your website’s users. If one of the queries seems suspicious, it will be blocked before it gets to your server. The attack is stopped before it even starts.

NAXSI: what are the benefits?

There are many firewall solutions dedicated to applications, most of which work based on blacklists: the application firewall blocks the attacks it recognises and lets all other queries through to the server. NAXSI is different because it works based on a whitelist; by default, it blocks all queries and lets through only the traffic it considers legitimate. This difference protects you even against emerging cyberattacks whose signature is still unknown and can, therefore, not be detected by specific rules.

NAXSI adapts to each environment and each site to avoid false positives and let through legitimate queries, offering custom protection that adapts to your risks and issues.

Furthermore, NAXSI causes no loss of performance and requires no updates (aside from the whitelist, of course), saving you from regular slow-downs or stoppages to your production.

Open source WAF: NBS System’s expertise

They use NAXSI, hear their stories

“NAXSI is fantastic. The increase in response time is negligible, when there is one.”

“With NAXSI, the application is never down, and I can sleep easy! …It does exactly what it is meant to do, and it does it extremely well. ”

“I’m a pentester, and I’ve encountered NAXSI several times. Most of the time, I lost. ”

Find other experiences from NAXSI users!

WAF NAXSI: how can you get it?

NAXSI is an application firewall module attached to NGINX reverse proxy software. You can download it on the NAXSI GitHub page and ask your service providers to install it on your infrastructure. Our teams can also help you configure it.

Contact our teams for help implementing NAXSI!

Application firewall: when should you use NAXSI?

NAXSI is an application firewall. It’s a security tool that must stay in production at all times since it is a brick of your protection system. If it is deactivated on your site or application, your traffic will not be analysed, and you run additional risks.

How does NAXSI work?

NAXSI is installed on your website’s infrastructure alongside reverse proxies. These devices receive all your site’s traffic and act as intermediaries between your visitors’ web browsers and your web server.

When a query is made (such as accessing a new page or responding to a contact form) to a reverse proxy, the application firewall analyses the query to determine if it is legitimate or if it is dangerous to your underlying system.

A security tool: simple rules, a score, an action

Generally, an application firewall is based on a system of complex rules that recognise suspicious queries by their signatures: a chain of characters needed to carry out a certain type of cyber attack. The disadvantage of this operating method is that the rules are hard to maintain. For every new attack, a new rule must be created and integrated into the application firewall.

As we discussed above, NAXSI works differently. Instead of searching for complete character chains, the tool only identifies suspicious characters often used in web attacks such as less-than or more-than signs, parentheses, brackets, or apostrophes. This has several benefits such as it being easy to maintain (few updates) and quickly processing queries (no loss of performance).

Every time one of these characters appears in a query, NAXSI increases its “score”; the higher the score, the more suspicious the query. If it is below a certain threshold, it is allowed through to the server. Above it, and it is considered dangerous and blocked. Other intermediate actions and ranges can also be put in place depending on your needs, issues, and users.

Custom IT protection using the learning module

Defining score ranges and related actions is inherent to your site, project, and use case. By avoiding generic rules, NAXSI limits the risk of blocking legitimate queries or leaving open a window of opportunity for hackers due to rules that are too permissive.

NAXSI goes through an initial learning period to put this configuration into place. The learning module NXTOOLS runs for a certain time on your reverse proxy to analyse queries without blocking them and generate the whitelist. This whitelist will include all the behaviours that NAXSI may consider suspicious, but which are legitimate when using your website.

For example, if over 20% of your users have the same triggering factor, it will be recorded as legitimate, and NAXSI will not block it when it goes into production. The same goes for certain behaviours specific to the application that you use such as Google Analytics cookies, for example.

Human assistance is needed, however, to guide the tool to the right exceptions and identify the various ranges.

Cyberattacks: clear visibility on NAXSI’s actions

Once the learning phase is over, NAXSI can be activated and start working as an application firewall. Thanks to Elasticsearch and Kibana, two open source projects used alongside NAXSI, you get a console that shows the cyberattacks it has blocked for all the protected websites in real time.

Our IT security experts can help you with this! Contact us to find out more.