Secure HTTP settings
Aside from TLS settings there are a few things we could improve.
I would suggest these Apache settings on all web hosts:
Header always set X-Content-Type-Options nosniff Header always set X-Frame-Options DENY Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
We could update /etc/apache2/conf-enabled/security.conf via Ansible (even is Apache is not yet managed).
Updated by Marc Dequènes about 2 years ago
- Status changed from In Progress to Resolved
- % Done changed from 90 to 100
This reading is interesting: https://wiki.mozilla.org/Security/Guidelines/Web_Security
HTTP Public-Key Pinning (HPKP) is another workaround against rogue CAs, but you cannot change your key easily, so you need to prepare backup keys. Also if the problem is linked to the key cipher, then you're totally fraked and cannot update the certificate. This is really as much as a constraint as a protection, so we're not going to implement this.
Content Security Policy (CSP) is interesting and seem well supported by most browsers. It needs to be adapted to the site's needs, so it is not a global policy. I will create a new BR for this experimentation.