securityheaders A and SSL Server Labs A+

Someone pointed out to me that I was still getting an F on the securityheaders test and only an A on the SSL Labs Test.

First of all, I wanted to verify that my site was missing all the relevant security headers.

securityheaders - Grade F

Well, with my awful score in hand, it was time to beef up my site's security a bit.

Improving Security

I first decided to add all the simple (non HPKP headers) to the bottom of my security.conf file.

root@wordpress-1gb-nyc1-01:/etc/apache2/conf-available# tail -5 security.conf
Header always set Strict-Transport-Security: max-age=31536000; includeSubdomains
Header always set Content-Security-Policy: default-src 'none'; script-src https://www.doyler.net
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Xss-Protection "1; mode=block"
Header always set X-Content-Type-Options "nosniff"

Unfortunately, when I tried to restart Apache, it seemed like I did not have the Header module installed.

root@wordpress-1gb-nyc1-01:/etc/apache2/conf-available# service apache2 restart
 * Restarting web server apache2                                         [fail]
 * The apache2 configtest failed.
Output of config test was:
AH00526: Syntax error on line 76 of /etc/apache2/conf-enabled/security.conf:
Invalid command 'Header', perhaps misspelled or defined by a module not included in the server configuration
Action 'configtest' failed.
The Apache error log may have more information.

With the Header module installed, it was time to restart Apache and hope everything worked.

root@wordpress-1gb-nyc1-01:/etc/apache2/conf-available# a2enmod headers
Enabling module headers.
To activate the new configuration, you need to run:
  service apache2 restart
root@wordpress-1gb-nyc1-01:/etc/apache2/conf-available# service apache2 restart
 * Restarting web server apache2                                         [fail]
 * The apache2 configtest failed.
Output of config test was:
AH00526: Syntax error on line 76 of /etc/apache2/conf-enabled/security.conf:
Unknown parameter: includeSubdomains
Action 'configtest' failed.
The Apache error log may have more information.

Once I properly quoted the parameters for my new headers, I was finally able to get Apache back up and running.

root@wordpress-1gb-nyc1-01:/etc/apache2/conf-available# tail -5 security.conf
Header always set Strict-Transport-Security: "max-age=31536000; includeSubdomains"
Header always set Content-Security-Policy: "default-src 'none'; script-src https://www.doyler.net"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Xss-Protection "1; mode=block"
Header always set X-Content-Type-Options "nosniff"
root@wordpress-1gb-nyc1-01:/etc/apache2/conf-available# service apache2 restart
  * Restarting web server apache2                                         [ OK ]

Retesting

With everything in place, it was time to rerun the test.

securityheaders - Grade A

And, as a bonus, adding HSTS also brought up my SSL Labs score to an A+.

securityheaders - SSL Labs A+

That said, at this time, I have no plans to enable HKPK on this site.

I do not think that the possible downsides outweigh the benefits, and it is not currently supported by the Let's Encrypt client.

Also, for those of you paying attention at home, that Content-Security-Policy will obviously not allow my WordPress site to run very well.

Once I got everything running correctly and white-listed properly, this was my final (for now) Content-Security-Policy header.

Header always set Content-Security-Policy: "default-src 'none'; script-src https://www.doyler.net 'unsafe-inline' 'unsafe-eval' https://s0.wp.com https://s1.wp.com; style-src https://www.doyler.net 'unsafe-inline' https://s0.wp.com https://fonts.googleapis.com; font-src https://www.doyler.net data: https://s0.wp.com https://fonts.gstatic.com; img-src www.doyler.net https://secure.gravatar.com data: https://pixel.wp.com; frame-src https://widgets.wp.com; connect-src https://www.doyler.net; upgrade-insecure-requests"
doyler on Githubdoyler on Twitter
doyler
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Senior Penetration tester for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.

When he's not figuring out what cert to get next or side project to work on, he enjoys playing video games, traveling, and watching sports.

Leave a Comment

Filed under Security Not Included

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.