Using a SSL certificate that doesn't mean you are secure, but there is a lot more to Strengthening Web Site Security. Whilst most people are happy with just having their site running under SSL after successfully figuring out how certbot and Let’s Encrypt works.
Strengthening Web Site Security is very easy as it only requires you to set up what is called a Content Security Policy (CSP).
What a Content Security Policy does is tell a browser what external resources can be loaded within your site without being regarded and Non-Secure Origins. It’s an essential part of good security especially when it comes to SSL.
But Strengthening Web Site Security does not stop there as there are additional server headers that need to be implemented to prevent cross browser sniffing, people loading parts of your site with a frame in their site and what is called an XSS header which prevents cross scripting attacks from browsers and then also a strict transport security header called HSTS.
To check the current status of your site’s security headers simply visit a very great tool called https://securityheaders.com/ type in your domain name including https:// and see the result. You will probably initially see a big nasty red F … don’t shit yourself because with the CSP and the following Nginx rules it will take you a few minutes to score an A.
For Nginx you simply add the following lines within a server {} block on your site’s conf file, reload nginx and your are done. Go and retest and you will see a much nicer message.
Just add the below code after # Mime Settings, The entire code will looks like:
# vi /etc/nginx/nginx.conf
# Mime settings
include /etc/nginx/mime.types;
default_type application/octet-stream;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "frame-ancestors https://mail.datahead.biz/;";
add_header Referrer-Policy strict-origin-when-cross-origin;
add_header Feature-Policy "accelerometer 'none'; ";
QUESTION?
Does this make my web site ultra secure?Well yes it does add some very necessary security headers to your web site’s configuration but security does not stop here
Security Scan & Recommendation:
https://observatory.mozilla.org/https://app.upguard.com/
https://securityheaders.com/
https://hstspreload.org
https://tls.imirhil.fr
https://csp-evaluator.withgoogle.com/
Content Security Policy (CSP)
https://developers.google.com/web/fundamentals/security/csp/https://support.google.com/webmasters/answer/6073543?hl=en
https://blog.codeship.com/how-to-get-started-with-a-content-security-policy/
https://stackoverflow.com/questions/34669075/can-content-security-policy-be-made-compatible-with-google-analytics-and-adsense
Mozilla Security Guide:
https://infosec.mozilla.org/guidelines/web_securityhttps://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
Comments
Post a Comment
You are always welcome to comment here, but your remarks should be relevant to the conversation. To keep the exchanges focused and engaging, we reserve the right to remove off-topic comments, or self-promoting URLs and vacuous messages.
We will try to reply to your queries as soon as time allows.
Regards,
Admin