From F to A +: how to get A high score in the website security evaluation?
Website Security Evaluation refers to information technology security testing and risk assessment for website security. Diogomonica.com (created using Jekyll) is a static blog generated, but even for such a website, when you use SSL Labs, Security Headers, and other websites to evaluate its Security, you can always find something very interesting. Unfortunately, last week, when I used securityheaders. when I checked the website, I got the following result: For the security engineer of the website, This would definitely make him feel embarrassed. Although my blog system does not need these advanced security headers, I decided to upgrade my security evaluation to A +. What are these headers? Before we turn these red warning boxes into green boxes that look more comfortable, you should not only have a detailed understanding of these headers, and you have to understand why you need to ensure that your webpage attributes contain this information. | Content-Security-Policy (CSP): allows websites to define a Policy that specifically processes JavaScript, css, and images imported from external domains. To prevent XSS and other types of cross-site injection attacks. | X-Content-Type-Options: prevents Internet Explorer and Google Chrome from leaking their declared Content types in MIME sniffing. | X-Frame-Options: protects against click hijacking attacks. | X-XSS-Protection: it basically does not work. In modern browsers, It is started by default. | Strict-Transport-Security (HSTS): it enables your browser to always use HTTPS for connection to a specific domain name. Attackers cannot hijack such links, and users will not ignore TLS warnings. | Public-Key-Pins (HPKP): Enables your browser to bind a specified domain name to a dedicated Public Key. To prevent attackers from obtaining useful certificate from other certificate authorities. Starting from the simplest fix, there is not much interesting in the setting part of the program, because changing the setting of the program will likely damage the application on your website, in addition, it is difficult to find the root cause of the problem. In addition, modifying these header settings does not affect your website much. Now, I will use nginx as my website server and add the add_header command to my configuration file:
add_header X-Frame-Options "SAMEORIGIN"; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block";
When we select parameters for these three headers, we do not have many options. For more information, see the introduction provided by Mozilla. Add HSTS and CSP if the CSP policy you deploy is too strict, the browser may not load any content, which will cause users to be unable to open your website. If you deploy an HSTS policy and disable HTTPS for your website or web application, you are not allowed to access your website. HSTS because I always use the TLS protocol when setting up a website, I will enable HSTS and set its parameter max-age to 7776000 (seconds ). This parameter tells the browser that they can only access diogomonica.com over HTTPS over the next three months:
add_header Strict-Transport-Security max-age=7776000;
Another important HSTS parameter is includeSubDomains. I set this parameter to disabled because it is usually used when a website without https is running. If you are sure that each subdomain name of the website uses HTTPS, you should enable this parameter. CSP has two different operation modes: execution and reporting. If you use Content-Security-Policy header, CSP enters the execution mode. If you use Content-Security-Policy-Report-Only, then the CSP will enter the report mode. CSP policies are very complex. We recommend that you enable the reporting mode because it helps you understand what preparations you need to make before starting the execution mode. Of course, you should also understand the different operation commands in CSP policies. In my personal circumstances, no one has ever complained that my blog cannot be opened. I will enable the execution mode directly, and fix the red warning boxes one by one with the help of the Chrome browser developer console. The results are as follows:
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-eval' https://ssl.google-analytics.com https://ajax.cloudflare.com; img-src 'self' https://ssl.google-analytics.com ; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.googleapis.com https://fonts.gstatic.com; object-src 'none'";
After I restart my nginx server, securityheaders is displayed. i/O's current security rating for the website: Get A + (enable HPKP) HPKP working mechanism: it will allow the browser to automatically query the HPKP header, check whether these pin codes match the SPKI creden。 in the certificate chain. This means that you can use any pin in the certificate chain to perform operations, that is, from the sub-certificate to the root certificate. Then, I obtained the corresponding SPKI credential for my key. There are many methods to implement this step. Through the openssl command, I obtained the corresponding credential from the certificate currently in use:
root@burly:/etc/ssl# openssl x509 -in cloudflare-diogomonica.com.crt -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | base64 bDk6Wbfj83EpcaKgT5WkBfiiml66Tln3DskDJneGBoo=
HPKP is the most dangerous among all security headers. Like HSTS, if an error occurs in some places (your private key is obtained by someone else), the user may be in a certain period of time (the specific time depends on the max_age parameter you set) you cannot access your website. Similarly, like CSP, but HPKP usually Only has the Report-Only mode. You can use it to test your pin code without the risk of server downtime. For more information about HPKP, see this blog post published by Tim Taubert. As I mentioned earlier, because this blog lacks readers, I can directly enter the execution mode, add the new header to the configuration file of the nginx Server:
add_header Public-Key-Pins 'pin-sha256="bDk6Wbfj83EpcaKgT5WkBfiiml66Tln3DskDJneGBoo="; pin-sha256="E8WztKzM3elUxkcjR2S5P4hhyBNf6lHkmjAHKhpGWooE="; max-age=60';
Here, I want to point out that I admit that I am a little casual, because I set the value of max_age to 60 (seconds), but this is only for testing. In this way, I can directly disable some headers. If I make a wrong pin code, I only need to wait a minute to continue the operation. After all the headers are reconfigured and the nginx server is restarted, the latest score is displayed: A + to get this result, we seem to have carried out A series of very complex operations. Are there some practical tips for me to get A + rating directly? Because securityheaders. io only checks whether these headers exist (it does not even parse the parameters), the answer is of course "yes ":
add_header Strict-Transport-Security max-age=0; add_header X-Frame-Options "ANYTHINGREALLY"; add_header X-Content-Type-Options anythingreally; add_header X-XSS-Protection "0"; add_header Content-Security-Policy "default-src *"; add_header Public-Key-Pins max-age=0;
What is the + score obtained in the SSL Labs detection? If you are satisfied with A, you can use cloudflare. If you really want to get A +, you can read this article to get more information. Conclusion unless you have a mature SecOps team as the support, I do not recommend that you enable HPK for common users. In addition to HPKP, you should enable all the headers mentioned above in all the websites and web applications of your subordinates. Remember: If your website's current traffic volume is not large, your configuration process will be very simple. So it should be too early to be late. Please hurry up!