Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- One suggestion for the http-> https redirection:
- Instead of redirecting http -> https, serve https only and use hsts headers: https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet
- (more general info about it: https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security)
- For the back-end portion:
- I would add these modification in your "ssl config" equivalent for apache/nginx/haproxy/etc (ex: ssl.conf in apache):
- SSLHonorCipherOrder on
- SSLCipherSuite HIGH:!aNULL:!eNULL:!kECDH:!aDH:!RC4:!3DES:!CAMELLIA:!MD5:!PSK:!SRP:!KRB5:@STRENGTH
- SSLProtocol all -SSLv2 -SSLv3
- SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
- SSLSessionCacheTimeout 300
- ^ This and the hsts will also get you an A+ on ssl labs (https://www.ssllabs.com/ssltest/)
- At last, check out:
- * CSP (content secure policy) header
- * the XFO (x-frame-options) header
- * the "x-xss" protection header.
- * the "x-content-type-options" header
- All of these mentioned here: https://wiki.mozilla.org/Security/Guidelines/Web_Security
- Another great scan: https://observatory.mozilla.org/
RAW Paste Data
