Make nginx-14 and nginx-16 disabled by default based on dev-sec/nginx-baseline#21

controls/nginx_spec.rb

@@ -75,6 +75,18 @@
   default: 'GET\|HEAD\|POST'
 )
 
+HTTP_METHODS_CHECK = attribute(
+  'http_methods_check',
+  description: 'Defines if http_methods should be checked in the nginx configuration',
+  default: false
+)
+
+NGINX_COOKIE_FLAG_MODULE = attribute(
+  'nginx_cookie_flag_module',
+  description: 'Defines if nginx has been compiled with nginx_cookie_flag_module',
+  default: false
+)
+
 only_if do
   command('nginx').exist?
 end
@@ -249,6 +261,7 @@
   desc 'Disable insecure HTTP-methods and allow only necessary methods.'
   ref 'OWASP HTTP Methods', url: 'https://www.owasp.org/index.php/Test_HTTP_Methods_(OTG-CONFIG-006)'
 
+  only_if { HTTP_METHODS_CHECK != false }
   describe file(nginx_conf) do
     its('content') { should match(/^\s*if\s+\(\$request_method\s+\!\~\s+\^\(#{HTTP_METHODS}\)\$\)\{?$/) }
   end
@@ -267,6 +280,7 @@
   impact 1.0
   title 'Set cookie with HttpOnly and Secure flag'
   desc 'You can mitigate most of the common Cross Site Scripting attack using HttpOnly and Secure flag in a cookie. Without having HttpOnly and Secure, it is possible to steal or manipulate web application session and cookies and it’s dangerous.'
+  only_if { NGINX_COOKIE_FLAG_MODULE != false }
   describe parse_config_file(nginx_hardening, options_add_header) do
     its('content') { should match(/^\s*set_cookie_flag * HttpOnly secure;$/) }
   end