A simple curl query can show the site's headers:
Code: Select all
$ curl -I http://undertowgames.com
HTTP/1.1 200 OK
Set-Cookie: mediaplanBAK=R129205185; path=/; expires=Thu, 05-Apr-2018 12:18:49 GMT
Date: Thu, 05 Apr 2018 11:20:43 GMT
Content-Type: text/html; charset=UTF-8
Set-Cookie: mediaplan=R20449423907; path=/; expires=Thu, 05-Apr-2018 12:18:49 GMT
Server: Apache
X-Powered-By: PHP/5.6.32
X-Pingback: http://undertowgames.com/xmlrpc.php
Link: <http://undertowgames.com/>; rel=shortlink
Vary: Accept-Encoding
X-IPLB-Instance: 17339
in the /etc/apache2/ites-enabled/whateversite.conf or /etc/apache2/conf-enabled/security.conf add this in the virtualhost directive to enable HTTP Strict Transport Security (HSTS) this will force the user to use HTTPS and not HTTP
Code: Select all
# HSTS (mod_headers is required) (15768000 seconds = 6 months)
Header always set Strict-Transport-Security "max-age=15768000"
ServerTokens Prod
SecServerSignature undertowgames
add also the secure headers
Code: Select all
Header set X-Content-Type-Options: "nosniff"
Header set X-Frame-Options: "DENY"
Header set X-XSS-Protection "1; mode=block"
Header set X-Permitted-Cross-Domain-Policies "none"
Header set Referrer-Policy "strict-origin"
You need to remove the PHP version edit your php.ini configuration and set the expose_php to off
Code: Select all
;;;;;;;;;;;;;;;;;
; Miscellaneous ;
;;;;;;;;;;;;;;;;;
; Decides whether PHP may expose the fact that it is installed on the server
; (e.g. by adding its signature to the Web server header). It is no security
; threat in any way, but it makes it possible to determine whether you use PHP
; on your server or not.
; http://php.net/expose-php
expose_php = Off
https://www.owasp.org/index.php/OWASP_S ... rs_Project