CodeAnt AI home pagelight logodark logo
  • Dashboard
  • Dashboard
  • Documentation
  • Demo Call with CEO
  • Blog
  • Slack
  • Get Started
    • CodeAnt AI
    • Setup
    • Control Center
    • Pull Request Review
    • IDE
    • Compliance
    • Anti-Patterns
    • Code Governance
    • Infrastructure Security Database
    • Application Security Database
      • Apex
      • Bash
      • C
      • Clojure
      • Cpp
      • Csharp
      • Dockerfile
      • Elixir
      • Fingerprints
      • Generic
        • Bicep
        • Ci
        • Dockerfile
        • Dockerfile
        • Html-templates
        • Hugo
        • Nginx
          • Security
        • Secrets
        • Unicode
        • Visualforce
      • Go
      • Html
      • Java
      • Javascript
      • Json
      • Kotlin
      • Ocaml
      • Php
      • Problem-based-packs
      • Python
      • Ruby
      • Rust
      • Scala
      • Solidity
      • Swift
      • Terraform
      • Typescript
      • Yaml
    Nginx

    Security

    Conditions for Nginx H2C smuggling identified. H2C smuggling allows upgrading HTTP/1.1 connections to lesser-known HTTP/2 over cleartext (h2c) connections which can allow a bypass of reverse proxy access controls, and lead to long-lived, unrestricted HTTP traffic directly to back-end servers. To mitigate: WebSocket support required: Allow only the value websocket for HTTP/1.1 upgrade headers (e.g., Upgrade: websocket). WebSocket support not required: Do not forward Upgrade headers.
    Likelihood: LOW
    Confidence: MEDIUM
    CWE:
    - CWE-444: Inconsistent Interpretation of HTTP Requests (‘HTTP Request/Response Smuggling’)
    OWASP:
    - A04:2021 - Insecure Design

    ‘httphost′and′http_host' and 'httph​ost′and′host’ variables may contain a malicious value from attacker controlled ‘Host’ request header. Use an explicitly configured host value or a allow list for validation.
    Likelihood: LOW
    Confidence: MEDIUM
    CWE:
    - CWE-290: Authentication Bypass by Spoofing
    OWASP:
    - A07:2021 - Identification and Authentication Failures

    Detected an insecure redirect in this nginx configuration. If no scheme is specified, nginx will forward the request with the incoming scheme. This could result in unencrypted communications. To fix this, include the ‘https’ scheme.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-319: Cleartext Transmission of Sensitive Information
    OWASP:
    - A03:2017 - Sensitive Data Exposure
    - A02:2021 - Cryptographic Failures

    The alias in this location block is subject to a path traversal because the location path does not end in a path separator (e.g., ’/’). To fix, add a path separator to the end of the path.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
    OWASP:
    - A05:2017 - Broken Access Control
    - A01:2021 - Broken Access Control

    This location block contains a ‘proxy_pass’ directive but does not contain the ‘internal’ directive. The ‘internal’ directive restricts access to this location to internal requests. Without ‘internal’, an attacker could use your server for server-side request forgeries (SSRF). Include the ‘internal’ directive in this block to limit exposure.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-16: CWE CATEGORY: Configuration
    OWASP:
    - A06:2017 - Security Misconfiguration
    - A05:2021 - Security Misconfiguration

    The $$VARIABLE path parameter is added as a header in the response. This could allow an attacker to inject a newline and add a new header into the response. This is called HTTP response splitting. To fix, do not allow whitespace in the path parameter: ’[^\s]+’.
    Likelihood: LOW
    Confidence: MEDIUM
    CWE:
    - CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers (‘HTTP Request/Response Splitting’)
    OWASP:
    - A03:2021 - Injection

    The protocol scheme for this proxy is dynamically determined. This can be dangerous if the scheme can be injected by an attacker because it may forcibly alter the connection scheme. Consider hardcoding a scheme for this proxy.
    Likelihood: LOW
    Confidence: MEDIUM
    CWE:
    - CWE-16: CWE CATEGORY: Configuration
    OWASP:
    - A06:2017 - Security Misconfiguration
    - A05:2021 - Security Misconfiguration

    The host for this proxy URL is dynamically determined. This can be dangerous if the host can be injected by an attacker because it may forcibly alter destination of the proxy. Consider hardcoding acceptable destinations and retrieving them with ‘map’ or something similar.
    Likelihood: LOW
    Confidence: MEDIUM
    CWE:
    - CWE-441: Unintended Proxy or Intermediary (‘Confused Deputy’)
    OWASP:
    - A01:2021 - Broken Access Control

    This server configuration is missing the ‘ssl_protocols’ directive. By default, this server will use ‘ssl_protocols TLSv1 TLSv1.1 TLSv1.2’, and versions older than TLSv1.2 are known to be broken. Explicitly specify ‘ssl_protocols TLSv1.2 TLSv1.3’ to use secure TLS versions.
    Likelihood: LOW
    Confidence: MEDIUM
    CWE:
    - CWE-326: Inadequate Encryption Strength
    OWASP:
    - A03:2017 - Sensitive Data Exposure
    - A02:2021 - Cryptographic Failures

    The ‘add_header’ directive is called in a ‘location’ block after headers have been set at the server block. Calling ‘add_header’ in the location block will actually overwrite the headers defined in the server block, no matter which headers are set. To fix this, explicitly set all headers or set all headers in the server block.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-16: CWE CATEGORY: Configuration
    OWASP:
    - A06:2017 - Security Misconfiguration
    - A05:2021 - Security Misconfiguration

    Detected use of an insecure SSL version. Secure SSL versions are TLSv1.2 and TLS1.3; older versions are known to be broken and are susceptible to attacks. Prefer use of TLSv1.2 or later.
    Likelihood: MEDIUM
    Confidence: HIGH
    CWE:
    - CWE-326: Inadequate Encryption Strength
    OWASP:
    - A03:2017 - Sensitive Data Exposure
    - A02:2021 - Cryptographic Failures

    Best practiceGitleaks
    twitterlinkedin
    Powered by Mintlify
    Assistant
    Responses are generated using AI and may contain mistakes.