NAXSI

NAXSI is a third-party NGINX module that acts as a web application firewall. It blocks common cross-site scripting and SQL injection patterns with a small set of readable rules, using a drop-by-default model where you add only the accept rules your site needs.

Unlike most web application firewalls, it does not rely on a signature base, so it cannot be bypassed by an unknown attack pattern. You can build whitelists manually by analyzing NGINX error logs, or run an intensive auto-learning phase that generates whitelisting rules from your site's behavior.

NAXSI works with any NGINX version and depends on libpcre for regular expression support. It runs on NetBSD, FreeBSD, OpenBSD, Debian, Ubuntu, and CentOS, and is packaged for many Unix-like platforms.