WWW - DNS / Security / Headers

[emb417]

metaforiq sec report.pdf

[emb417]

• https://dnsspy.io/scan/metaforiq.com
• https://check-your-website.server-daten.de/?q=metaforiq.com
• https://www.ssllabs.com/ssltest/analyze.html?d=www.metaforiq.com
• http://whynopadlock.com/

[emb417]

C

Error - no preferred version www or non-www. Select one version as preferred version, then add a redirect https + not-preferred version to https + preferred version. Perhaps in your port 443 vHost something like "RewriteEngine on" + "RewriteCond %{SERVER_NAME} = example.com" + "ReWriteRule ^ https://www.example.com%{REQUEST_URI} [END,QSA,R=permanent]" (three rows, without the "). That should create a redirect https + example.com ⇒ https + www.example.com. Or switch both values to use the non-www version as your preferred version.

C

Error - more then one version with Http-Status 200. After all redirects, all users (and search engines) should see the same https url: Non-www or www, but not both with http status 200.

[emb417]

HSTS-Preload-Status: unknown. Domain never included in the Preload-list. Check https://hstspreload.org/ to learn some basics about the Google-Preload-List.

https://hstspreload.org/?domain=metaforiq.com

[emb417]

Old connection: Cipher Suites without Forward Secrecy (FS) found. Remove all of these Cipher Suites, use only Cipher Suites with Forward Secrecy: Starting with ECDHE- or DHE - the last "E" says: "ephemeral". Or use Tls.1.3, then all Cipher Suites use FS. 16 Cipher Suites without Forward Secrecy found

https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html

[emb417]

• [x] Check for mixed content to avoid non-ssl
• [x] Configure preferred www; 301 https non-www to www
• [x] Remove old tls v1.2 ciphers, tls v1.3
• [x] configure hsts preload