WAFPlanet
NAXSI open source WAF logo

NAXSI

by Open Source (community-maintained fork by wargio)

Free Tier Available Open Source
3.4
WAFPlanet Rating

A lightweight, open source WAF module for NGINX that uses a scoring-based approach instead of signature matching, blocking attacks by detecting suspicious patterns rather than maintaining a vulnerability database.

Visit Website Documentation View Pricing
Company: Open Source (community-maintained fork by wargio)
Pricing: Free (Open Source, GPLv3)
Founded: 2011

Overview

NAXSI (Nginx Anti XSS & SQL Injection) is an open source web application firewall that runs as a third-party module inside NGINX. Unlike signature-based WAFs that maintain databases of known attack patterns, NAXSI uses a scoring system that evaluates requests against a small set of generic rules covering the vast majority of web attack patterns.

The project takes a deny-by-default approach. Characters and patterns commonly associated with attacks (angle brackets, SQL keywords, pipe characters) are flagged and scored. When a request exceeds the configured score threshold, it gets blocked. Legitimate requests that trigger false positives are handled through whitelisting rules, which can be generated automatically through a learning mode.

Originally developed by NBS System, the project was archived in November 2023. Development continues under an active fork maintained by Giovanni Dante Grazioli (wargio), who was the last active developer on the original project. The fork receives regular updates and maintains compatibility with current NGINX versions.

NAXSI is written in C and depends only on libpcre for regex support. It runs on most UNIX-like systems including Linux, FreeBSD, OpenBSD, and NetBSD. Its minimal footprint and tight NGINX integration make it a practical choice for teams that already run NGINX and want inline WAF protection without adding another proxy layer.

Ratings Breakdown

Ease of Use 2.8/5
Value for Money 4.5/5
Customer Support 2.5/5
Features 3.2/5

Key Features

Scoring-Based Detection

Assigns scores to suspicious patterns in requests. Blocks when the cumulative score exceeds a threshold, rather than relying on exact signature matches.

Learning Mode

Monitors traffic and automatically generates whitelist rules for legitimate application behavior, reducing manual tuning effort during initial deployment.

Virtual Patching

Apply custom rules to block specific vulnerabilities without modifying application code. Rules target raw requests or specific fields like headers, args, and body.

Deny-by-Default

Operates like a DROP firewall. Common attack characters and patterns are blocked unless explicitly whitelisted for the target application.

Lightweight Footprint

Written in C with only libpcre as a dependency. Adds minimal overhead to NGINX request processing.

Dynamic Module Support

Can be compiled as a dynamic NGINX module, allowing it to be loaded without recompiling NGINX from source.

Pros & Cons

Pros

  • Completely free and open source

    GPLv3 licensed with no paid tiers. Zero cost beyond infrastructure and administration time.

  • Minimal resource usage

    Tiny C module with one dependency. Adds negligible latency compared to heavier WAF solutions.

  • Not signature-dependent

    Generic pattern scoring means unknown attacks are still caught if they use suspicious characters or structures.

  • Learning mode reduces tuning time

    Auto-generates whitelists from real traffic, making initial deployment faster than writing rules by hand.

  • Tight NGINX integration

    Runs inside NGINX as a module. No extra proxy hop, no separate service to manage.

Cons

  • NGINX only

    No support for Apache, IIS, Envoy, or other web servers. If you switch off NGINX, you lose your WAF.

  • Community-maintained fork

    The original project was archived. The active fork has a single primary maintainer, which is a bus factor risk.

  • No management UI

    Configuration is entirely file-based. No dashboard, no centralized management, no analytics out of the box.

  • Whitelist maintenance burden

    The deny-by-default model means every legitimate edge case needs a whitelist rule. Complex applications require ongoing tuning.

  • Smaller ecosystem than ModSecurity

    Fewer third-party integrations, smaller community, and no equivalent of the OWASP Core Rule Set.

Pricing

Pricing model: Free (Open Source, GPLv3)

Open Source

Free

Full WAF module, self-managed

  • Scoring-based attack detection
  • Auto-learning / whitelist generation
  • Virtual patching support
  • NGINX dynamic module
  • Community support via GitHub Issues

Our Verdict

NAXSI fills a specific niche well. If you run NGINX and want a minimal, free WAF that catches common attack patterns without the complexity of ModSecurity rule language, it delivers. The scoring approach is elegant and the learning mode helps with initial deployment. But the single-maintainer fork status, NGINX-only limitation, and lack of any management tooling mean it is best suited for teams comfortable with hands-on configuration and monitoring. For most production environments, ModSecurity with CRS or a managed solution will be a safer long-term bet.

CVE Coverage

NAXSI can detect and block attacks matching 82K+ known CVEs based on its supported rule sets.

13K+
Critical
17K+
High
33K+
Medium
420
Low

Coverage by Attack Type

Cross-Site Scripting (XSS) High
36K+ CVEs
SQL Injection High
14K+ CVEs
Improper Input Validation Medium
8.4K+ CVEs
Path Traversal High
6.6K+ CVEs
OS Command Injection High
5.2K+ CVEs
Unrestricted File Upload Medium
3.9K+ CVEs
Code Injection Medium
3.9K+ CVEs
Command Injection High
3.1K+ CVEs
Open Redirect Medium
1.4K+ CVEs
XML External Entity (XXE) High
1.2K+ CVEs

Latest Blockable CVEs

CVE Severity
CVE-2026-4755 UNKNOWN
CVE-2026-4754 UNKNOWN
CVE-2026-4745 UNKNOWN
CVE-2026-4662 HIGH
CVE-2026-4632 HIGH
CVE-2026-4627 HIGH
CVE-2026-4741 UNKNOWN
CVE-2026-4626 LOW
CVE-2026-4625 HIGH
CVE-2026-4624 HIGH
Browse all CVEs →

Frequently Asked Questions

Is NAXSI still maintained?
The original NBS System repository was archived in November 2023. Development continues in an active fork by wargio (Giovanni Dante Grazioli), the last active developer from the original project. The fork receives regular updates and bug fixes.
How does NAXSI compare to ModSecurity?
NAXSI uses a simpler scoring model with fewer, more generic rules. ModSecurity offers a more powerful rule language (SecRule) and benefits from the OWASP Core Rule Set. NAXSI is lighter and easier to get started with, but ModSecurity provides more granular control for complex environments.
Can NAXSI work with Apache or other web servers?
No. NAXSI is specifically built as an NGINX module and only works with NGINX. For Apache, consider ModSecurity. For multi-server environments, look at Coraza or cloud-based WAFs.
Does NAXSI support the OWASP Core Rule Set?
No. NAXSI uses its own rule format and scoring system, which is incompatible with CRS. It ships with a default set of core rules that cover common attack patterns like XSS and SQL injection.

Ready to try NAXSI?

Start with the free tier and upgrade as you grow.

Visit Website View Pricing