Securing your Bludit site with HTTP
Posted: Thu Oct 06, 2016 11:31 pm
Did you check your Bludit site with https://securityheaders.io? I did.
I spent some time to playing with my web server (Lighttpd) trying to set up more secure configuration and now my site have "A" score so I can to share with you how to reach this result.
On Lighttpd (don't forget to switch on mod_setenv):
On Nginx:
On Apache
I using Google Tools and Yandex Tools plugins so my Content-Security-Policy HTTP header contains links to they external resources. If you don't using it just remove script-src, connect-src and img-src fields. If you are using external image loading just add URL to img-src.
Additional details can be found at Schott Helme blog.
I spent some time to playing with my web server (Lighttpd) trying to set up more secure configuration and now my site have "A" score so I can to share with you how to reach this result.
On Lighttpd (don't forget to switch on mod_setenv):
Code: Select all
setenv.add-response-header = (
"Strict-Transport-Security" => "max-age=15768000",
"Content-Security-Policy" => "default-src 'self'; script-src 'unsafe-inline' https://www.google-analytics.com https://mc.yandex.ru 'self'; style-src 'unsafe-inline' https://fonts.googleapis.com 'self'; font-src https://fonts.gstatic.com 'self'; connect-src https://mc.yandex.ru 'self'; img-src https://www.google-analytics.com https://mc.yandex.ru 'self'",
"X-Content-Type-Options" => "nosniff",
"X-Frame-Options" => "DENY",
"X-XSS-Protection" => "1; mode=block"
)
Code: Select all
add_header Strict-Transport-Security "max-age=15768000" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'unsafe-inline' https://www.google-analytics.com https://mc.yandex.ru 'self'; style-src 'unsafe-inline' https://fonts.googleapis.com 'self'; font-src https://fonts.gstatic.com 'self'; connect-src https://mc.yandex.ru 'self'; img-src https://www.google-analytics.com https://mc.yandex.ru 'self'" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "DENY" always;
add_header X-XSS-Protection "1; mode=block" always;
Code: Select all
Header always set Strict-Transport-Security "max-age=15768000";
Header always set Content-Security-Policy "default-src 'self'; script-src 'unsafe-inline' https://www.google-analytics.com https://mc.yandex.ru 'self'; style-src 'unsafe-inline' https://fonts.googleapis.com 'self'; font-src https://fonts.gstatic.com 'self'; connect-src https://mc.yandex.ru 'self'; img-src https://www.google-analytics.com https://mc.yandex.ru 'self'";
Header always set X-Content-Type-Options "nosniff";
Header always set X-Frame-Options "DENY";
Header always set X-XSS-Protection "1; mode=block";
Additional details can be found at Schott Helme blog.