Guest User

Untitled

a guest
Jul 29th, 2017
24
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. One suggestion for the http-> https redirection:
  2.  
  3. Instead of redirecting http -> https, serve https only and use hsts headers: https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet
  4.  
  5. (more general info about it: https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security)
  6.  
  7.  
  8. For the back-end portion:
  9.  
  10. I would add these modification in your "ssl config" equivalent for apache/nginx/haproxy/etc (ex: ssl.conf in apache):
  11.  
  12. SSLHonorCipherOrder on
  13. SSLCipherSuite HIGH:!aNULL:!eNULL:!kECDH:!aDH:!RC4:!3DES:!CAMELLIA:!MD5:!PSK:!SRP:!KRB5:@STRENGTH
  14. SSLProtocol all -SSLv2 -SSLv3
  15. SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
  16. SSLSessionCacheTimeout 300
  17.  
  18. ^ This and the hsts will also get you an A+ on ssl labs (https://www.ssllabs.com/ssltest/)
  19.  
  20.  
  21. At last, check out:
  22.  
  23. * CSP (content secure policy) header
  24. * the XFO (x-frame-options) header
  25. * the "x-xss" protection header.
  26. * the "x-content-type-options" header
  27.  
  28. All of these mentioned here: https://wiki.mozilla.org/Security/Guidelines/Web_Security
  29.  
  30. Another great scan: https://observatory.mozilla.org/
RAW Paste Data