SIte Security

sora
Dr. Bright's Assistant
Posts: 13
Joined: Tue Sep 26, 2017 12:52 pm
Contact:

SIte Security

Postby sora » Thu Apr 05, 2018 11:34 am

I do not know where to post this so I am just posting it here. I noticed that this site does use HTTPS (SSL issued by Let's Encrypt) but does not enforce it (you can switch to http and https), as we all know http is not secure. This can be fixed by adding a header to apache by using Strict-Transport-Security. Also the site does not sanitize the php version used this can be used make the site vulnerable, you may also want to remove the Apache server header change it something different like UndertowGames.
A simple curl query can show the site's headers:

Code: Select all

$ curl -I http://undertowgames.com
HTTP/1.1 200 OK
Set-Cookie: mediaplanBAK=R129205185; path=/; expires=Thu, 05-Apr-2018 12:18:49 GMT
Date: Thu, 05 Apr 2018 11:20:43 GMT
Content-Type: text/html; charset=UTF-8
Set-Cookie: mediaplan=R20449423907; path=/; expires=Thu, 05-Apr-2018 12:18:49 GMT
Server: Apache
X-Powered-By: PHP/5.6.32
X-Pingback: http://undertowgames.com/xmlrpc.php
Link: <http://undertowgames.com/>; rel=shortlink
Vary: Accept-Encoding
X-IPLB-Instance: 17339


You also need to prevent clickjacking attacks, content sniffin

in the /etc/apache2/ites-enabled/whateversite.conf or /etc/apache2/conf-enabled/security.conf add this in the virtualhost directive to enable HTTP Strict Transport Security (HSTS) this will force the user to use HTTPS and not HTTP

Code: Select all

# HSTS (mod_headers is required) (15768000 seconds = 6 months)
Header always set Strict-Transport-Security "max-age=15768000"


To change the server name, edit the security.conf
ServerTokens Prod
SecServerSignature undertowgames

add also the secure headers

Code: Select all

Header set X-Content-Type-Options: "nosniff"
Header set X-Frame-Options: "DENY"
Header set X-XSS-Protection "1; mode=block"
Header set X-Permitted-Cross-Domain-Policies "none"
Header set Referrer-Policy "strict-origin"



You need to remove the PHP version edit your php.ini configuration and set the expose_php to off

Code: Select all

;;;;;;;;;;;;;;;;;
; Miscellaneous ;
;;;;;;;;;;;;;;;;;

; Decides whether PHP may expose the fact that it is installed on the server
; (e.g. by adding its signature to the Web server header).  It is no security
; threat in any way, but it makes it possible to determine whether you use PHP
; on your server or not.
; http://php.net/expose-php
expose_php = Off


Please read the OWASP Secure Headers Project
https://www.owasp.org/index.php/OWASP_S ... rs_Project

Return to “General Off Topic”

Who is online

Users browsing this forum: No registered users and 8 guests