During an enterprise wide security audit it was discovered that when you send a GET request to https://PortalIP/nginx_status 
we obtain a http 200 response with basic server statistics along the following:

Active Connections: xx
server accepts handled requests
   xxxxxx xxxxxx xxxxxx
Reading: xx Writing: xx Waiting: xx

The nginx_status endpoint provides basic information on how may requests the nginx service has processed. It also describes the number of active users. This information can be valuable to an attacker determining how heavily this web server is used.

How can we restrict access to the nginx_status endpoint?

CA API Developer Portal 5.x

The nginx_status page is already configured with restrictive access.

Within the portal dispatcher container the following file is present:

/etc/nginx/server_base.conf

This file contains the following pertaining to the nginx_status:

location = /nginx_status {
        stub_status;
        access_log /dev/stdout;
        allow 127.0.0.1;
        allow 10.0.0.0/8;
        allow 172.16.0.0/12;
        allow 192.168.0.0/16;
        allow 240.128.192.0/19;
        allow 240.224.0.0/16;
        deny all;
}

As you can see it is configured to only allow access from a defined range of ip addresses, attempts from any other ip will be denied.