2.5.3 Ensure hidden file serving is disabled

Information

Disabling hidden files is a defense-in-depth mechanism to help prevent accidentally exposing sensitive information.

Rationale:

Disabling hidden files prevents an attacker from being able to reference a hidden file that may be put in your location and have sensitive information, like .git files.

Impact:

This may break well-known hidden files that are needed for functionality. For example, it may prevent functionality used by LetsEncrypt. To enable, configure a location exception like that shown below:

location ~ /.well-known/acme-challenge {

allow all;

}

Solution

Edit the nginx.conf file and add the following line:

location ~ /. { deny all; return 404; }

Default Value:

This is not set by default.

See Also

https://workbench.cisecurity.org/files/4212