Website security resources
Some topics on this page
- Account security
- ';--have i been pwned? to check if you have an email account that has been compromised in a data breach or, more likely nowadays, how many times an email account has been compromised. An incentive to use 2FA on as many accounts as possible.
- CentOS 7hardening guide from the Lisenet blog, September 2017.
- Microsoft Password Guidance guidance from a team looking at a million attacks a day.
- NIST Digital Identity Guidelines from 2017.
- NIST Digital Identity Guidelines, SP800-63, July 2017. Part of suite of related publications available as PDF and also on GitHub
- Passwords Evolved: Authentication Guidance for the Modern Era by Troy Hunt from July 2017.
- Password reuse, credential stuffing and another billion records in Have I been pwned by Troy Hunt from May 2017.
- User account authorisation and management best practices from the Google Cloud Platform Blog, January 2018.
- Basic Authentication tutorials for Nginx on Ubuntu 14.04 and on CentOS 7 tutorials on DigitalOcean.
- Certificate Transparency monitoring by Facebook includes a free subscription service to be notified of certificates issued on nominated domains.
- CertSimple 2017 guide to HTTP/2 on Nginx includes fail-over, proxy and IPv6.
- Content Security Policy (CSP)
- CSP can offer protection against some Cross-Site Scripting (XSS) attacks and provides an assertion of asset sources. It is defined by the W3C and v1.0 is described in the latest editor’s draft of Content Security Policy 1.0. CSP rules can be set in .htaccess. Remember to check the CSP rules whenever referencing resources in a different way or of a different type than previously tested. For example, adding an embedded or inline style to a page will fail unless unsafe-inline styles are allowed. Remember, too, to avoid tab characters in CSP rules and to check rule validity both by using the report-uri facility and by using the F12 console available in major browsers.
- Google provides a CSP evaluation tool.
- Nicolas Hoffmann has an introduction to CSP levels 1 and 2 in a article for Smashing Magazine. It includes code for processing CSP reports locally.
- Practical CSP level 2 practice is discussed in the webkit blog article a refined CSP, especially with regard to script and wildcard.
- Scott Helme provides the useful report-uri.io CSP, Expect-CT and HPKP reporting service that aggregates CSP and HPKP reports from many of ones web sites. His website also has tutorials on Expect-CT (Certificate Transparency) headers, and accessing CT logs, including accessing CT log entries via https://crt.sh/.
- CPU cost of TLS encryption is demonstrated in a Cloudflare blog post from December 2017.
- CSRF mitigation and prevention in Cross-Site Request Forgery is dead! by Scott Helme in .
- Digital Ocean security tutorials.
- GDPR needs to be understood by any processor or storer of data on EU citizens. The UK ICO has a useful set of articles on Digital Leaders from Decmber 2017, starting with GDPR – sorting the fact from the fiction.
- Gixy from Yandex. A
Python script for static analysis of nginx conf file. Usually installed by
pip install gixy. On CentOS, pip is installed by, for example,
yum install python-pip.
- Google Security Design.
- How widely used are security-based HTTP response headers? A review by Scott Helme. Includes a link to his free securityheaders.io website-testing service that reports on the (non-)use of security-related HTTP headers by specified sites. On a related theme, Josh Buchea has collected a list of everything that goes in an HTML document head. Joshua Hibbert has a sample <head> section. AppCanary published a summary list of HTTP security headers in . The headers we don't want is by Andrew Betts from 10 May 2018. How To Secure Your Web App With HTTP Headers is an article by Hagay Lupesko.
- HTTP security report by Stefán Orri Stefánsson provides a succinct summary score for security settings on a site together with suggestions for improving the score and a report on the scores of top web sites.
- Referrer Policy and
rel=can be used to tune actions on links.
rel=nofollowis well-known as a way to avoid passing on “link juice”.
rel=noreferrersuppresses the HTTP referer [sic] header. However, it also sets window.opener to null when opening a link. This mitigates some security risks if links open a new navigation content (e.g. by using
target="_blank"). If the HTTP referer header should be sent then window.opener can be set to null by using
rel=noopener, introduced in Chromium 49. There is a demo of the problem
rel=noopeneraddresses. In a related article Jake Archibald shows how using rel-"noopener" can avoid a performance hit. For more on the referer header, see Everything you could ever want to know (and more) about controlling the Referer header by Neil Jenkins . Referrer policy can be used to hide confidential information on the referrer from a target website. Referrer Policy is intended to be a W3C recommendation and Referrer Policy is supported by most browsers.
- Peter Mosmans’ OpenSSL github repository, merges additional ciphers and features into OpenSSL.
- security.txt specification.
- TLS and X.509 Certificates
In addition to the security benefits of HTTPS, most new browser features require HTTPS. For example, Web Workers or the use of a microphone require HTTPS; all implementations of HTTP/2 use HTTPS. For more, see on W3C documents in Secure Contexts. Support of HTTP/2 is not yet complete. Server push is not widely available or handled well in developer tools. Tools that provide support may need special configuration, for example Wireshark is discussed in a blog article on Implementing HTTP/2 in Production Environments by Clay Smith on . Other tools may need rebuilding ahead of most distributions, for example to have curl with HTTP/2 support is described in a serversforhackers.com article from . One benefit of HTTP/2 workflow is the reduction in need for resource concatenation. However, whilst concatenating resources may not be needed as much as with HTTP/1.x, the impact of servicing more requests on servers is yet to be fully evaluated. These issues are illustrated in Rebecca Murphey’s talk at dotJS on .
- AIA to obtain certificate chain presents a bash script to use the AIA field in a certificate. The link is to a comment on an article in LWN and may not be public.
- Certificate security recommendations from cipherli.st for applications including nginx, openssh client and server, postfix, exim, dovecot. proftpd.
- Certificate Transparency is being proposed from October 2017 by Google in a post from .
- Doing the ChaCha with Nginx. Guidance from by Scott Helme on building Nginx from source with ChaCha20-Poly1305, Brotli and PageSpeed.
- Diffie Hellman for TLS recommendations at weakdh.org provide guidance on disabling Export Cipher Suites, deploying Ephemeral Elliptic-Curve Diffie-Hellman (ECDHE) and using a strong Diffie Hellman Group. Includes an online site testing tool. Using only modern, secure cipher suites is good practice but may need to be balanced against accessibility from older clients. If older cipher suites are supported they must be as a last resort.
- DHE ciphers were removed in Chrome 53.
- Elliptic Curve lecture notes by Andrew Sutherland, MIT 18.783, 2015.
- HPKP was a valiant attempt to prevent rogue certificates for a domain being used. However, it was a risky strategy that never gained traction. Support was removed from Chrome in mod-2018. Useful articles about it included HPKP done right by Johannes Ullrich at SANS ISC from ; setting up HPKP by Scott Helme; and HPKP header generation script by Hanno Böck, who also wrote a pair of LWN.net articles on TLS certificate issues in .
- HSTS on NGINX, a helpful blog post from NGINX that has pointers for other security headers.
- HSTS Preload submission. All HTTPS sites should be using HSTS. Those that are, including for subdomains, can apply to be in Chrome’s list of sites to be connected to using HTTPS from the first request. For more on this, read Troy Hunt’s blog post of and the Google report of on HSTS preload take-up and its implications by Lucas Garron. In Google announced that they were bringing HSTS to www.google.com.
- HTTP to HTTPS migration for free by Andrea Pernici on semrush.com, .
- Mozilla project recommendations for server-side TLS settings.
- Let’s Encrypt provides free TLS certificates for websites. EFF provide the certbot script for automatic deployment. digitalgov has an article on setting up multi-domain certs with Let’s Encrypt. acme.sh is a shell script implementing ACME.
- NGINX configuration optimisation for HTTP/2 from by Leandro Moreira.
- On Web-Security and -Insecurity is a blog on recent research on web security and related topics. Provided and maintained by members and friends of the Chair for Network and Data Security, Horst Görtz Institute, Ruhr-University Bochum. Has particularly useful information on TLS, OpenSSL and Elliptic Curve Cryptography.
- SHA-1 is deprecated for certificate signing other than for root certificates in the browser certificate store. All the certificate providers I use replaced SHA-1 certificates without charge. SHA-1 deprecation has been visible in Chrome since , depending on certificate expiry date. Microsoft also proposed action to take effect in 2016.
- TLS 1.3 with OpenSSL.
- TLS tuning using NGINX suggestions by Hayden James from June 2018.
- Using OpenSSL to Create Certificates and set up your own CA. By Rui Figueiredo, .
- TLS tests for checking site communication security:
- Some tests can be run locally. For example, to check OCSP:
openssl s_client -connect <servername>:443 -status | grep -A 20 OCSP.
- BadSSL.com client TLS tests.
- Comodo SSL analyser
- Hardenize uses a variety of tools to ascertain domain security, includes email and web.
- How’s my SSL? checks client use of TLS.
- SSLyze analyses TLS sites. A project by Alban Diquet, hosted on GitHub.
- Manual testing for TLS weaknesses by Michael Skiba from using, for example, openssl and nmap scripts.
- SSL Labs, including server and client TLS tests, Also available are a dev version of the server TLS tester and an explanation of the 2018 SSL Labs grading rules.
- Some tests can be run locally. For example, to check OCSP:
- VirusTotal offers a free file, URL testing service against a wide range of virus checkers and blacklists. Operated by Chronicle, part of Alphabet.
- Web developer checklist by Michael O’Brien from May 2017.
Yes, this is an internet protocol not a web protocol but, as it is widely used for web server maintenance, …