generic.nginx.security.header-redefinition.header-redefinition
Community Favorite
semgrepAuthor
75,967
Download Count*
License
The 'add_header' directive is called in a 'location' block after headers have been set at the server block. Calling 'add_header' in the location block will actually overwrite the headers defined in the server block, no matter which headers are set. To fix this, explicitly set all headers or set all headers in the server block.
Run Locally
Run in CI
Defintion
rules:
- id: header-redefinition
patterns:
- pattern-inside: |
server {
...
add_header ...;
...
...
}
- pattern-inside: |
location ... {
...
...
}
- pattern: add_header ...;
paths:
include:
- "*.conf"
- "*.vhost"
- sites-available/*
- sites-enabled/*
languages:
- generic
severity: WARNING
message: The 'add_header' directive is called in a 'location' block after
headers have been set at the server block. Calling 'add_header' in the
location block will actually overwrite the headers defined in the server
block, no matter which headers are set. To fix this, explicitly set all
headers or set all headers in the server block.
metadata:
cwe:
- "CWE-16: CWE CATEGORY: Configuration"
references:
- https://github.com/yandex/gixy/blob/master/docs/en/plugins/addheaderredefinition.md
category: security
technology:
- nginx
confidence: LOW
owasp:
- A06:2017 - Security Misconfiguration
- A05:2021 - Security Misconfiguration
subcategory:
- audit
likelihood: LOW
impact: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Other
Examples
header-redefinition.conf
server {
listen 80;
# ok: header-redefinition
add_header X-Frame-Options "DENY" always;
location / {
return 200 "index";
}
location /new-headers {
# Add special cache control
# ruleid: header-redefinition
add_header Cache-Control "no-cache, no-store, max-age=0, must-revalidate" always;
# ruleid: header-redefinition
add_header Pragma "no-cache" always;
return 200 "new-headers";
}
}
Short Link: https://sg.run/Lwl7