SIte Security
Posted: Thu Apr 05, 2018 11:34 am
I do not know where to post this so I am just posting it here. I noticed that this site does use HTTPS (SSL issued by Let's Encrypt) but does not enforce it (you can switch to http and https), as we all know http is not secure. This can be fixed by adding a header to apache by using Strict-Transport-Security. Also the site does not sanitize the php version used this can be used make the site vulnerable, you may also want to remove the Apache server header change it something different like UndertowGames.
A simple curl query can show the site's headers:
You also need to prevent clickjacking attacks, content sniffin
in the /etc/apache2/ites-enabled/whateversite.conf or /etc/apache2/conf-enabled/security.conf add this in the virtualhost directive to enable HTTP Strict Transport Security (HSTS) this will force the user to use HTTPS and not HTTP
To change the server name, edit the security.conf
ServerTokens Prod
SecServerSignature undertowgames
add also the secure headers
You need to remove the PHP version edit your php.ini configuration and set the expose_php to off
Please read the OWASP Secure Headers Project
https://www.owasp.org/index.php/OWASP_S ... rs_Project
A simple curl query can show the site's headers:
Code: Select all
$ curl -I http://undertowgames.com
HTTP/1.1 200 OK
Set-Cookie: mediaplanBAK=R129205185; path=/; expires=Thu, 05-Apr-2018 12:18:49 GMT
Date: Thu, 05 Apr 2018 11:20:43 GMT
Content-Type: text/html; charset=UTF-8
Set-Cookie: mediaplan=R20449423907; path=/; expires=Thu, 05-Apr-2018 12:18:49 GMT
Server: Apache
X-Powered-By: PHP/5.6.32
X-Pingback: http://undertowgames.com/xmlrpc.php
Link: <http://undertowgames.com/>; rel=shortlink
Vary: Accept-Encoding
X-IPLB-Instance: 17339
in the /etc/apache2/ites-enabled/whateversite.conf or /etc/apache2/conf-enabled/security.conf add this in the virtualhost directive to enable HTTP Strict Transport Security (HSTS) this will force the user to use HTTPS and not HTTP
Code: Select all
# HSTS (mod_headers is required) (15768000 seconds = 6 months)
Header always set Strict-Transport-Security "max-age=15768000"
ServerTokens Prod
SecServerSignature undertowgames
add also the secure headers
Code: Select all
Header set X-Content-Type-Options: "nosniff"
Header set X-Frame-Options: "DENY"
Header set X-XSS-Protection "1; mode=block"
Header set X-Permitted-Cross-Domain-Policies "none"
Header set Referrer-Policy "strict-origin"
You need to remove the PHP version edit your php.ini configuration and set the expose_php to off
Code: Select all
;;;;;;;;;;;;;;;;;
; Miscellaneous ;
;;;;;;;;;;;;;;;;;
; Decides whether PHP may expose the fact that it is installed on the server
; (e.g. by adding its signature to the Web server header). It is no security
; threat in any way, but it makes it possible to determine whether you use PHP
; on your server or not.
; http://php.net/expose-php
expose_php = Off
https://www.owasp.org/index.php/OWASP_S ... rs_Project