MartinWahnschaffe
commented
5 years ago Result from securityheaders.com (for sormas.symeda.de): A
Missing Headers:
- Content-Security-Policy: Content Security Policy is an effective measure to protect your site from XSS attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets. https://scotthelme.co.uk/content-security-policy-an-introduction/
- Feature Policy: Feature Policy is a new header that allows a site to control which features and APIs can be used in the browser. https://scotthelme.co.uk/a-new-security-header-feature-policy/
For pentest.sormas.org some settings seem to be missing. This need to be added to the server setup documentation:
Header always set X-Content-Type-Options "nosniff" Header always set X-Xss-Protection "1; mode=block" # Disable Caching Header always set Cache-Control "no-cache, no-store, must-revalidate, private" Header always set Pragma "no-cache" # The Content-Type header was either missing or empty. # Ensure each page is setting the specific and appropriate content-type value for the content being delivered. AddType application/vnd.ms-fontobject .eot AddType application/x-font-opentype .otf AddType image/svg+xml .svg AddType application/x-font-ttf .ttf AddType application/font-woff .woff
For the apache 2 security configuration we suggest the following settings (/etc/apache2/conf-available/security.conf)
ServerTokens Prod ServerSignature Off TraceEnable Off Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" Header unset X-Frame-Options Header always set X-Frame-Options SAMEORIGIN Header unset Referrer-Policy Header always set Referrer-Policy "same-origin" Header edit Set-Cookie "(?i)^((?:(?!;\s?HttpOnly).)+)$" "$1;HttpOnly" Header edit Set-Cookie "(?i)^((?:(?!;\s?Secure).)+)$" "$1;Secure" Header unset X-Powered-By Header unset Server
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
For apache config: