Skip to content
Sudonix

Securing your webserver against common attacks

Blog
  • phenomlabundefined

    1622031373927-headers-min.webp

    It surprises me (well, actually, dismays me in most cases) that new websites appear online all the time who have clearly spent an inordinate amount of time on cosmetics / appearance, and decent hosting, yet failed to address the elephant in the room when it comes to actually securing the site itself. Almost all the time, when I perform a quick security audit using something simple like the below

    https://securityheaders.io

    I often see something like this

    Not a pretty sight. Not only does this expose your site to unprecedented risk, but also looks bad when others decide to perform a simple (and very public) check. Worse still is the sheer number of so called “security experts” who claim to solve all of your security issues with their “silver bullet” solution (sarcasm intended), yet have neglected to get their own house in order. So that can you do to resolve this issue ? It’s actually much easier than it seems. Dependant on the web server you are running, you can include these headers.

    Apache

    <IfModule mod_headers.c>
Header set X-Frame-Options "SAMEORIGIN"
header set X-XSS-Protection "1; mode=block"
Header set X-Download-Options "noopen"
Header set X-Content-Type-Options "nosniff"
Header set Content-Security-Policy "upgrade-insecure-requests"
Header set Referrer-Policy 'no-referrer' add
Header set Feature-Policy "geolocation 'self' https://yourdomain.com"
Header set Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()"
Header set X-Powered-By "Whatever text you want to appear here"
Header set Access-Control-Allow-Origin "https://yourdomain.com"
Header set X-Permitted-Cross-Domain-Policies "none"
Header set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
</IfModule>

    NGINX

    add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block";
add_header X-Download-Options "noopen" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Content-Security-Policy "upgrade-insecure-requests" always;
add_header Referrer-Policy 'no-referrer' always;
add_header Feature-Policy "geolocation 'self' https://yourdomain.com" always;
add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=();";
add_header X-Powered-By "Whatever text you want to appear here" always;
add_header Access-Control-Allow-Origin "https://yourdomain.com" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains;" always;

    Note, that https://yourdomain.com should be changed to reflect your actual domain. This is just a placeholder to demonstrate how the headers need to be structured.

    Restart Apache or NGINX, and then perform the test again.


    That’s better !

    More detail around these headers can be found here

    https://webdock.io/en/docs/how-guides/security-guides/how-to-configure-security-headers-in-nginx-and-apache

    Author of OGProxy, Swatch, Threaded, Card, and most of Sudonix's bugs…

    1

Related Topics
  • Madchatthewundefined

    Network Security Monitoring

    Learning
    7
    3 Votes
    7 Posts
    183 Views
    Madchatthewundefined

    @phenomlab I will check those out. Thanks for sharing. I appreciate it!

  • DownPWundefined

    ProtonMail Complied with 5,957 Data Requests in 2022 – Still Secure and Private?

    Privacy
    8
    12 Votes
    8 Posts
    451 Views
    phenomlabundefined

    @crazycells good question. Gmail being provided by Google is going to be one of the more secure by default out of the box, although you have to bear in mind that you can have the best security in the world, but that is easily diluted by user decision.

    Obviously, it makes sense to secure all cloud based services with at least 2fa protection, or better still, biometric if available, but email still remains vastly unprotected (unless enforced in the sense of 2fa, which I know Sendgrid do) because of user choice (in the sense that users will always go for the path of least resistance when it comes to security to make their lives easier). The ultimate side effect of taking this route is being vulnerable to credentials theft via phishing attacks and social engineering.

    The same principle would easily apply to Proton Mail, who also (from memory) do not enforce 2fa. Based on this fact, neither product is more secure than the other without one form of additional authentication at least being imposed.

    In terms of direct attack on the servers holding mail accounts themselves, this is a far less common type of attack these days as tricking the user is so much simpler than brute forcing a server where you are very likely to be detected by perimeter security (IDS / IPS etc).

  • phenomlabundefined

    ION brings clients back online after ransomware attack

    Blog
    12
    +0
    9 Votes
    12 Posts
    582 Views
    phenomlabundefined

    @crazycells said in ION brings clients back online after ransomware attack:

    you know, they believe the world revolves around them

    Haha, yes. And they invented s*x.

  • phenomlabundefined

    TikTok fined £12.7m for misusing children's data

    Discussion
    4
    4 Votes
    4 Posts
    308 Views
    JACundefined

    @phenomlab said in TikTok fined £12.7m for misusing children’s data:

    Just another reason not to use TikTok. Zero privacy, Zero respect for privacy, and Zero controls in place.

    https://news.sky.com/story/tiktok-fined-12-7m-for-data-protection-breaches-12849702

    The quote from this article says it all

    TikTok should have known better. TikTok should have done better

    They should have, but didn’t. Clearly the same distinct lack of core values as Facebook. Profit first, privacy… well, maybe.

    Wow, that’s crazy! so glad I stayed away from it, rotten to the core.

  • phenomlabundefined

    Why you should never neglect physical security

    Blog
    1
    0 Votes
    1 Posts
    322 Views
    No one has replied
  • phenomlabundefined

    Security, Or Just Obscurity?

    Blog
    1
    +0
    0 Votes
    1 Posts
    327 Views
    No one has replied
  • phenomlabundefined

    Changing Passwords Regularly Actually Weakens Security

    Blog
    1
    0 Votes
    1 Posts
    450 Views
    No one has replied
  • phenomlabundefined

    Surface Web, Deep Web, And Dark Web Explained

    Blog
    3
    0 Votes
    3 Posts
    489 Views
    phenomlabundefined

    @justoverclock yes, completely understand that. It’s a haven for criminal gangs and literally everything is on the table. Drugs, weapons, money laundering, cyber attacks for rent, and even murder for hire.

    Nothing it seems is off limits. The dark web is truly a place where the only limitation is the amount you are prepared to spend.