gauntface / gf-site

Code behind gauntface.com

4 stars 1 forks source link

Security Tightening #4

Open gauntface opened 8 years ago

gauntface commented 8 years ago

https://httpsecurityreport.com/best_practice.html#server

NGINX

http://www.acunetix.com/blog/articles/configure-web-server-disclose-identity/

server_tokens off;

PHP

http://www.ducea.com/2006/06/16/apache-tips-tricks-hide-php-version-x-powered-by/

This is to remove the: X-Powered-By: PHP/5.4.36-0+deb7u3

In php.ini

expose_php = Off

Frame Options

https://httpsecurityreport.com/best_practice.html#frameOptions

Need to add the following header

# https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options: nosniff;

Content Security Policy

This is pretty hardcore, but would be great to prevent injected ad's

https://httpsecurityreport.com/best_practice.html#contentSecurityPolicy

Public Key Pins

https://httpsecurityreport.com/best_practice.html#publicKeyPins

gauntface commented 8 years ago

A+ on SSLLabs: https://www.ssllabs.com/ssltest/analyze.html?d=gauntface.com

gauntface commented 8 years ago

CSP is the last remaining thing:

https://httpsecurityreport.com/?report=https://gauntface.com