Hello, Guest

You seem to be interested in what's here, but haven't registered for an account yet or perhaps haven't logged in.
When you create an account, we will be able to remember what you've already read, so you can pick up exactly where you left off when you come back.

Oh, and it'll also get rid of this really annoying box.....

Securing your webserver against common attacks

  • Founder admin

    It surprises me (well, actually, dismays me in most cases) that new websites appear online all the time who have clearly spent an inordinate amount of time on cosmetics / appearance, and decent hosting, yet failed to address the elephant in the room when it comes to actually securing the site itself. Almost all the time, when I perform a quick security audit using something simple like https://securityheaders.io, I see this

    1617012754-453055-image.png

    Not a pretty sight. Not only does this expose your site to unprecedented risk, but also looks bad when others decide to perform a simple (and very public) check. Worse still is the sheer number of so called "security experts" who claim to solve all of your security issues with their "silver bullet" solution (sarcasm intended), yet have neglected to get their own house in order. So that can you do to resolve this issue ? It's actually much easier than it seems. Dependant on the web server you are running, you can include these headers.

    Apache

    <IfModule mod_headers.c>
    Header set X-Frame-Options "SAMEORIGIN"
    header set X-XSS-Protection "1; mode=block"
    Header set X-Download-Options "noopen"
    Header set X-Content-Type-Options "nosniff"
    Header set Content-Security-Policy "upgrade-insecure-requests"
    Header set Referrer-Policy 'no-referrer' add
    Header set Feature-Policy "geolocation 'self' https://yourdomain.com"
    Header set Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()"
    Header set X-Powered-By "Whatever text you want to appear here"
    Header set Access-Control-Allow-Origin "https://yourdomain.com"
    Header set X-Permitted-Cross-Domain-Policies "none"
    Header set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    </IfModule>
    

    NGINX

    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Download-Options "noopen" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header Content-Security-Policy "upgrade-insecure-requests" always;
    add_header Referrer-Policy 'no-referrer' always;
    add_header Feature-Policy "geolocation 'self' https://yourdomain.com" always;
    add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=();";
    add_header X-Powered-By "Whatever text you want to appear here" always;
    add_header Access-Control-Allow-Origin "https://yourdomain.com" always;
    add_header X-Permitted-Cross-Domain-Policies "none" always;
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains;" always;
    

    Note, that https://yourdomain.com should be changed to reflect your actual domain. This is just a placeholder to demonstrate how the headers need to be structured.

    Restart Apache or NGINX, and then perform the test again.

    1617013248-55340-image.png

    That's better !

    More detail around these headers can be found here

Suggested Topics

  • 1
  • 1
  • 1