Open gauntface opened 8 years ago
https://httpsecurityreport.com/best_practice.html#server
http://www.acunetix.com/blog/articles/configure-web-server-disclose-identity/
server_tokens off;
http://www.ducea.com/2006/06/16/apache-tips-tricks-hide-php-version-x-powered-by/
This is to remove the: X-Powered-By: PHP/5.4.36-0+deb7u3
In php.ini
expose_php = Off
https://httpsecurityreport.com/best_practice.html#frameOptions
Need to add the following header
# https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options: nosniff;
This is pretty hardcore, but would be great to prevent injected ad's
https://httpsecurityreport.com/best_practice.html#contentSecurityPolicy
https://httpsecurityreport.com/best_practice.html#publicKeyPins
A+ on SSLLabs: https://www.ssllabs.com/ssltest/analyze.html?d=gauntface.com
CSP is the last remaining thing:
https://httpsecurityreport.com/?report=https://gauntface.com
https://httpsecurityreport.com/best_practice.html#server
NGINX
http://www.acunetix.com/blog/articles/configure-web-server-disclose-identity/
PHP
http://www.ducea.com/2006/06/16/apache-tips-tricks-hide-php-version-x-powered-by/
This is to remove the: X-Powered-By: PHP/5.4.36-0+deb7u3
In php.ini
Frame Options
https://httpsecurityreport.com/best_practice.html#frameOptions
Need to add the following header
Content Security Policy
This is pretty hardcore, but would be great to prevent injected ad's
https://httpsecurityreport.com/best_practice.html#contentSecurityPolicy
Public Key Pins
https://httpsecurityreport.com/best_practice.html#publicKeyPins