securityheaders A and SSL Server Labs A+

Someone pointed out to me that I was still getting an F on the securityheaders test and only an A on the SSL Labs Test.

First of all, I wanted to verify that my site was missing all the relevant security headers.

Well, with my awful score in hand, it was time to beef up my site’s security a bit.

Improving Security

I first decided to add all the simple (non HPKP headers) to the bottom of my security.conf file.

root@wordpress-1gb-nyc1-01:/etc/apache2/conf-available# tail -5 security.conf
Header always set Strict-Transport-Security: max-age=31536000; includeSubdomains
Header always set Content-Security-Policy: default-src 'none'; script-src https://www.doyler.net
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Xss-Protection "1; mode=block"
Header always set X-Content-Type-Options "nosniff"

Unfortunately, when I tried to restart Apache, it seemed like I did not have the Header module installed.

root@wordpress-1gb-nyc1-01:/etc/apache2/conf-available# service apache2 restart
 * Restarting web server apache2                                         [fail]
 * The apache2 configtest failed.
Output of config test was:
AH00526: Syntax error on line 76 of /etc/apache2/conf-enabled/security.conf:
Invalid command 'Header', perhaps misspelled or defined by a module not included in the server configuration
Action 'configtest' failed.
The Apache error log may have more information.

With the Header module installed, it was time to restart Apache and hope everything worked.

root@wordpress-1gb-nyc1-01:/etc/apache2/conf-available# a2enmod headers
Enabling module headers.
To activate the new configuration, you need to run:
  service apache2 restart
root@wordpress-1gb-nyc1-01:/etc/apache2/conf-available# service apache2 restart
 * Restarting web server apache2                                         [fail]
 * The apache2 configtest failed.
Output of config test was:
AH00526: Syntax error on line 76 of /etc/apache2/conf-enabled/security.conf:
Unknown parameter: includeSubdomains
Action 'configtest' failed.
The Apache error log may have more information.

Once I properly quoted the parameters for my new headers, I was finally able to get Apache back up and running.

root@wordpress-1gb-nyc1-01:/etc/apache2/conf-available# tail -5 security.conf
Header always set Strict-Transport-Security: "max-age=31536000; includeSubdomains"
Header always set Content-Security-Policy: "default-src 'none'; script-src https://www.doyler.net"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Xss-Protection "1; mode=block"
Header always set X-Content-Type-Options "nosniff"
root@wordpress-1gb-nyc1-01:/etc/apache2/conf-available# service apache2 restart
  * Restarting web server apache2                                         [ OK ]

Retesting

With everything in place, it was time to rerun the test.

And, as a bonus, adding HSTS also brought up my SSL Labs score to an A+.

That said, at this time, I have no plans to enable HKPK on this site.

I do not think that the possible downsides outweigh the benefits, and it is not currently supported by the Let’s Encrypt client.

Also, for those of you paying attention at home, that Content-Security-Policy will obviously not allow my WordPress site to run very well.

Once I got everything running correctly and white-listed properly, this was my final (for now) Content-Security-Policy header.

Header always set Content-Security-Policy: "default-src 'none'; script-src https://www.doyler.net 'unsafe-inline' 'unsafe-eval' https://s0.wp.com https://s1.wp.com; style-src https://www.doyler.net 'unsafe-inline' https://s0.wp.com https://fonts.googleapis.com; font-src https://www.doyler.net data: https://s0.wp.com https://fonts.gstatic.com; img-src www.doyler.net https://secure.gravatar.com data: https://pixel.wp.com; frame-src https://widgets.wp.com; connect-src https://www.doyler.net; upgrade-insecure-requests"