NGINX Config Analyzer

Paste one or more NGINX config files and get a scored security, performance, and reliability audit across 35+ context-aware rules. Supports multi-file configs with include resolution and a request flow simulator. Your configuration is analyzed locally — never uploaded.

#nginx#security#devops#infrastructure

🔒

Your NGINX configuration is analyzed locally in your browser and is never uploaded to any server.

⚠

Static analysis only. Always verify with nginx -t and nginx -T before applying changes.

Load sample:

nginx.conf

Overall score

Risky

19 findings · 1 file

1 critical1 high12 medium5 low

🛡Security

5 findings · −53 pts

⚡Performance

2 findings · −14 pts

🔀Reverse Proxy

8 findings · −48 pts

📡Reliability

4 findings · −16 pts

🔧Maintainability

100

0 findings

Findings (19 shown of 19)

What this analyzer checks

This analyzer builds an AST from your NGINX configuration, then runs 35+ context-aware rules. Rules understand scope — HSTS only fires when an HTTPS listener exists, proxy header rules only apply when proxy_pass is present, upstream keepalive rules only apply when upstream blocks are defined.

Supports multi-file configs — add included files as additional tabs and the analyzer links them together. The request flow simulator tests server block selection, location matching, and proxy_pass routing without sending any traffic.

🛡 Security

—HSTS on HTTPS servers
—X-Frame-Options / CSP frame-ancestors
—X-Content-Type-Options nosniff
—Content-Security-Policy
—server_tokens off
—Legacy TLS 1.0/1.1
—ssl_protocols missing
—Weak ssl_ciphers
—ssl_session_cache
—autoindex on
—Dotfile exposure (.git, .env)
—HTTP to HTTPS redirect

⚡ Performance

—worker_processes auto
—worker_connections sizing
—gzip / Brotli compression
—client_max_body_size
—sendfile / tcp_nopush / tcp_nodelay
—HTTP/2 on TLS
—proxy_read_timeout
—Upstream keepalive

🔀 Reverse Proxy

—Host header forwarding
—X-Real-IP
—X-Forwarded-For
—X-Forwarded-Proto
—proxy_http_version 1.1 with keepalive
—WebSocket Upgrade/Connection headers
—proxy_pass variable without resolver
—proxy_buffering global disable

📡 Reliability

—error_log
—access_log with upstream timing
—proxy_next_upstream
—max_fails/fail_timeout on upstream servers
—default_server block
—error_page for 502/503/504

How to validate fixes safely

nginx -t && nginx -T | head -50
systemctl reload nginx
curl -sI https://yourdomain.com | grep -E "Strict-Transport|X-Frame|X-Content-Type"

Related guides

FAQ

Is my NGINX config uploaded anywhere?▼

No. All parsing and analysis runs in JavaScript in your browser. No data is sent to any server. Open DevTools → Network while pasting and you will see zero outbound requests.

Can this replace nginx -t?▼

No. nginx -t validates syntax against your actual NGINX binary and loaded modules. This tool provides semantic analysis — finding issues that are syntactically valid but operationally or security-problematic. Use both.

Does it support multiple config files?▼

Yes. Click + to add file tabs. Name them to match your include paths (e.g. conf.d/api.conf). The analyzer resolves include directives by matching against provided filenames.

Can it detect security issues?▼

Yes — missing security headers, TLS misconfiguration, weak ciphers, autoindex exposure, unprotected dotfiles, rate limiting gaps, HSTS on HTTPS servers. All rules are context-aware.

Can it analyze reverse proxy configs?▼

Yes. Proxy header rules only fire when proxy_pass is present. Upstream keepalive rules apply when upstream blocks exist. WebSocket header rules fire only when WebSocket-like routes are detected.

How accurate is the request flow test?▼

The simulator handles exact, prefix, ^~, regex, and default location matching with correct NGINX priority order. It cannot emulate complex rewrites, variable-based routing, map/geo lookups, or Lua/njs. Confidence level (definite/probable/uncertain) is shown with each result.