| 1.1.2 Ensure NGINX is installed from source | SYSTEM AND SERVICES ACQUISITION |
| 2.1.1 Ensure only required modules are installed | CONFIGURATION MANAGEMENT |
| 2.1.2 Ensure HTTP WebDAV module is not installed | CONFIGURATION MANAGEMENT |
| 2.1.3 Ensure modules with gzip functionality are disabled | CONFIGURATION MANAGEMENT |
| 2.5.3 Ensure hidden file serving is disabled | SYSTEM AND SERVICES ACQUISITION |
| 3.5 Ensure error logs are sent to a remote syslog server | AUDIT AND ACCOUNTABILITY |
| 3.6 Ensure access logs are sent to a remote syslog server | AUDIT AND ACCOUNTABILITY |
| 4.1.11 Ensure your domain is preloaded | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.1.12 Ensure session resumption is disabled to enable perfect forward security | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.1.13 Ensure HTTP/2.0 is used | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.1.14 Ensure only Perfect Forward Secrecy Ciphers are Leveraged - proxy_ssl_ciphers | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.1.14 Ensure only Perfect Forward Secrecy Ciphers are Leveraged - ssl_ciphers | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.1.1 Ensure allow and deny filters limit access to specific IP addresses | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.2.4 Ensure the number of connections per IP address is limited | SYSTEM AND SERVICES ACQUISITION |
| 5.2.5 Ensure rate limits by IP address are set | SYSTEM AND SERVICES ACQUISITION |
| 5.3.3 Ensure that Content Security Policy (CSP) is enabled and configured properly | CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY |
| 5.3.4 Ensure the Referrer Policy is enabled and configured properly | SYSTEM AND SERVICES ACQUISITION |
| CIS_NGINX_v2.0.1_Level_2_Webserver.audit from CIS NGINX Benchmark v2.0.1 | |
