Skip to content
Sudonix

Securing your webserver against common attacks

Blog
  • phenomlabundefined

    1622031373927-headers-min.webp

    It surprises me (well, actually, dismays me in most cases) that new websites appear online all the time who have clearly spent an inordinate amount of time on cosmetics / appearance, and decent hosting, yet failed to address the elephant in the room when it comes to actually securing the site itself. Almost all the time, when I perform a quick security audit using something simple like the below

    https://securityheaders.io

    I often see something like this

    Not a pretty sight. Not only does this expose your site to unprecedented risk, but also looks bad when others decide to perform a simple (and very public) check. Worse still is the sheer number of so called “security experts” who claim to solve all of your security issues with their “silver bullet” solution (sarcasm intended), yet have neglected to get their own house in order. So that can you do to resolve this issue ? It’s actually much easier than it seems. Dependant on the web server you are running, you can include these headers.

    Apache

    <IfModule mod_headers.c>
Header set X-Frame-Options "SAMEORIGIN"
header set X-XSS-Protection "1; mode=block"
Header set X-Download-Options "noopen"
Header set X-Content-Type-Options "nosniff"
Header set Content-Security-Policy "upgrade-insecure-requests"
Header set Referrer-Policy 'no-referrer' add
Header set Feature-Policy "geolocation 'self' https://yourdomain.com"
Header set Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()"
Header set X-Powered-By "Whatever text you want to appear here"
Header set Access-Control-Allow-Origin "https://yourdomain.com"
Header set X-Permitted-Cross-Domain-Policies "none"
Header set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
</IfModule>

    NGINX

    add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block";
add_header X-Download-Options "noopen" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Content-Security-Policy "upgrade-insecure-requests" always;
add_header Referrer-Policy 'no-referrer' always;
add_header Feature-Policy "geolocation 'self' https://yourdomain.com" always;
add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=();";
add_header X-Powered-By "Whatever text you want to appear here" always;
add_header Access-Control-Allow-Origin "https://yourdomain.com" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains;" always;

    Note, that https://yourdomain.com should be changed to reflect your actual domain. This is just a placeholder to demonstrate how the headers need to be structured.

    Restart Apache or NGINX, and then perform the test again.


    That’s better !

    More detail around these headers can be found here

    https://webdock.io/en/docs/how-guides/security-guides/how-to-configure-security-headers-in-nginx-and-apache

    Author of OGProxy, Swatch, Threaded, Card, and most of Sudonix's bugs…

    1
Log in to reply

Related Topics
  • Madchatthewundefined

    Network Security Monitoring

    Learning
    7
    3 Votes
    7 Posts
    365 Views
    Madchatthewundefined
    @phenomlab I will check those out. Thanks for sharing. I appreciate it!
  • phenomlabundefined

    TikTok fined £12.7m for misusing children's data

    Discussion
    4
    4 Votes
    4 Posts
    409 Views
    JACundefined
    @phenomlab said in TikTok fined £12.7m for misusing children’s data: Just another reason not to use TikTok. Zero privacy, Zero respect for privacy, and Zero controls in place. https://news.sky.com/story/tiktok-fined-12-7m-for-data-protection-breaches-12849702 The quote from this article says it all TikTok should have known better. TikTok should have done better They should have, but didn’t. Clearly the same distinct lack of core values as Facebook. Profit first, privacy… well, maybe. Wow, that’s crazy! so glad I stayed away from it, rotten to the core.
  • DownPWundefined

    Crowdsec: a replacement for Fail2ban

    Security
    3
    2
    4 Votes
    3 Posts
    1k Views
    DownPWundefined
    @phenomlab No they have a free and pro console instance. We can see alert with IP, Source AS, scenario attack etc… Installation on the NODEBB server without problems. Very good tools [image: 1668812242411-cf7e5a89-84f4-435b-82eb-434c0bfc895e-image.png] [image: 1668811810555-cc82a10e-a1f1-4fd8-a433-7c9b2d31f254-image.png] [image: 1668811841819-1b7147b0-37c6-4d87-b4f1-a0fe92e74afd-image.png] [image: 1668811924623-7c21fc10-1825-48e1-a993-92b84455f074-image.png] – We can also do research on IPs via the crowdsec analyzer I believe it’s 500 per month in the Free version [image: 1668812069082-43bc8265-a57c-4439-829c-0bb8602d99b4-image.png]
  • phenomlabundefined

    Hardening WordPress - Reducing the attack vector

    Blog
    13
    1
    1 Votes
    13 Posts
    1k Views
    JACundefined
    @phenomlab said in Hardening WordPress - Reducing the attack vector: @jac Microsoft’s and Google’s Authenticator both support TOTP - essentially, a time based system that changes every 30 seconds. The main principle here is that the device itself carrying the One Time Passcode only needs to be in sync with the source server in terms of time, and can be completely offline with no internet access. Provided the time matches on both devices, the One Time Passcode will be accepted. Applications such as Microsoft Authenticator and Authy also support push notification meaning you just choose either yes or no on your device when prompted, and then that response is sent back to the origin which then determines if access is granted or not. One of the best looking password less authentication models was CLEF - sadly, this product died out due to a lack of funding (if I recall correctly) although some open source implementations of this have appeared quite recently. Essentially, both products will achieve the same goal. TOTP is an industry standard, and widely accepted across the board. Not all services offer push confirmation. Many thanks for the detailed reply mate. There’s some great advice in there that will help me secure my accounts.
  • phenomlabundefined

    Hacked because you didn't listen ?

    Blog
    1
    1
    0 Votes
    1 Posts
    282 Views
    No one has replied
  • phenomlabundefined

    Never underestimate the importance of security

    Blog
    1
    1
    0 Votes
    1 Posts
    278 Views
    No one has replied
  • phenomlabundefined

    Why you should never neglect physical security

    Blog
    1
    0 Votes
    1 Posts
    405 Views
    No one has replied
  • phenomlabundefined

    Security, Or Just Obscurity?

    Blog
    1
    1
    0 Votes
    1 Posts
    386 Views
    No one has replied