Strengthening Web Site Security SSL and Security HeadersMany people have stumbled across this site for some of my blog tutorials regarding Let’s Encrypt SSL certificates but there is a lot more to Strengthening Web Site Security. Whilst most people are happy with just having their site running under SSL after successfully figuring out how certbot and Let’s Encrypt works, a lot of people who run wordpress sites often run into issues with web browsers giving warnings that the site is not secure or even getting error like Err_connection_reset

What causes this is plugins and themes that call on external resources that get loaded into your site when somebody visits your page. These external scripts being called could be anything ranging from Google analytics to Fonts that your theme is calling from external resources. What this results in is your site being seen as insecure because of these external resources.

Strengthening Web Site Security is very easy as it only requires you to set up what is called a Content Security Policy (CSP). With wordpress this is as easy as child’s play by using the plugin called WP Content Security Policy. You install this plugin then go to Settings > Content Security Policy Options > turn it onto report only mode, click save and then go clicking through a few pages on your site. Then go back to Settings > Content Security Policy Log and see what external resources have been logged and then create rules as needed. Once you have tested a bit more you can then turn it on into “Yes Enforce Policies” and then keep a check on the log file over the next few days to see that nothing else pops up. Also every time you update or add a plugin or switch theme you will need to review your content security policy.

What a Content Security Policy does is tell a browser what external resources can be loaded within your site without being regarded and Non-Secure Origins. It’s an essential part of good security especially when it comes to SSL.

But Strengthening Web Site Security does not stop there as there are additional server headers that need to be implemented to prevent cross browser sniffing, people loading parts of your site with a frame in their site and what is called an XSS header which prevents cross scripting attacks from browsers and then also a strict transport security header called HSTS.

To check the current status of your site’s security headers simply visit a very great tool called SecurityHeaders.io type in your domain name including https:// and see the result. You will probably initially see a big nasty red F … don’t shit yourself because with the CSP and the following Nginx rules it will take you a few minutes to score an A.

For Nginx you simply add the following lines within a server {} block on your site’s conf file, reload nginx and your are done. Go and retest and you will see a much nicer message.

# Add X Headers
        add_header X-Frame-Options SAMEORIGIN;
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
# Add the Strict Transport Security Header
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

A word of caution, be happy with a score of A and do not try and chase getting an A+. An A+ score requires public key pinning on your domain HPKP but this is not supported by Let’s Encrypt and even though some people have found ways of making it work they often run into problems with signing issues and some people have bricked their domain names completely making them unusable forever. So be happy with A.

QUESTION: Does this make my web site ultra secure? Well yes it does add some very necessary security headers to your web site’s configuration but security does not stop here. These headers in combination with a strong 4096 bit SSL certificate that is correctly configured on your web server with the correct ciphers and known attack types like Poodle and Beast blocked is already a big step in the right direction of a secure web site. There are many other levels of security that can be run on the server side to even further strengthen your server and web site security. One day soon I will put together a thoroughly complete step by step guide on setting up an Nginx server with WordPress, SSL, Fail2Ban, IPTables, Security Headers and more.

You will astounded to know that some of the biggest sites in the world even some banks and secret security agencies around the world score an F so if you can get an A you can be happy that your site is more secure than …. hmmm … lets say the CIA ? or FBI ? and how about British Intelligence MI5 ?? ….. see below. a bit shocking (horrifying to be more precise) that organizations like these seem to know diddly squat about Strengthening Web Site Security but probably have some very highly paid geniuses with university degrees who think they know what they are doing.

strengthening web site security

strengthening web site security

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.