Configuration Alerts

Open Directory (opendir)

What is it

A web server misconfiguration that allows visitors to browse directory contents (e.g., /files/) instead of being restricted to specific web pages.

How is it detected

Nimbusec searches for file directory listing when visiting webpage.

Alert levels

YELLOW – Can expose sensitive files and aid in targeted attacks.

Recommended action

Disable directory listing.
Store sensitive files outside web-accessible directories.
Conduct regular audits of file paths exposed to the internet.

PHP Error Display

What is it

When PHP error messages are displayed directly in the browser instead of being hidden and logged securely.

How is it detected

Nimbusec searches for php error message when visiting webpage.

Alert levels

YELLOW – Reveals internal system details (file paths, queries, API keys) that attackers can exploit.

Recommended action

Disable display_errors in production environments.
Log errors to a secure server or file instead of displaying them publicly.
Implement custom error pages for users.
Regularly review logs for abnormal or repeated errors.

Public Config

What is it

Apache status pages are checked for public access without authentication.

How is it detected

Nimbusec checks /server-info /server-status for public accessibility

Alert levels

YELLOW – Reveals internal system details, which can lead to different attack vectors.

Recommended action

Apply “private by default” permissions to all storage resources.
Use encryption and authentication for all sensitive files.
Enable monitoring for unauthorized public access changes.

Security Header Config

What is it

Missing or misconfigured HTTP response headers that strengthen browser-level protections against attacks.

Occures when SHR grade is lower than "D".

How is it detected

Nimbusec calculates a grade from A to F for the Security Headers of scanned domains based on Mozilla Observatory.

Common headers include CSP, HSTS, X-Frame-Options, and X-Content-Type-Options.

Alert levels

YELLOW – Increases exposure to XSS, clickjacking, and MITM attacks.

Recommended action

Add and properly configure key security headers.
Follow OWASP Secure Headers Project guidelines.
Review headers after web server or app updates.

API Documentation

FQL Documentation

Installation on Linux

Installation on Windows

Agent Configuration

Docker Image

Configuration

Reputation

Transport Layer Security (TLS)

Verifying PDF Integrity

Compliance Monitoring Issues

Security Header Ratings

Two factor authentication

What is Discovery?

What is Nimbusec?

Alert actions

Blacklist alerts

Content alerts

Fading out results

Server side alerts

Reputation Alerts

Issue and Event overview

Nimbusec Website Security Monitor Issue Types (Short)

Configuration Alerts

Incident Response - Website Cleanup

Sync domains in a hosting environment automatically

Nimbusec WSM - Available Data

Discovery Webhooks

Nimbusec Webhooks

Plesk - Nimbusec Webhosting Security

Configuration Alerts

Open Directory (opendir)

What is it

How is it detected

Alert levels

Recommended action

PHP Error Display

What is it

How is it detected

Alert levels

Recommended action

Public Config

What is it

How is it detected

Alert levels

Recommended action

Security Header Config

What is it

How is it detected

Alert levels

Recommended action