@mattab opened this Issue on February 18th 2016 Owner

https://securityheaders.io/?q=https%3A%2F%2Fdemo.piwik.org%2F

demo security

  • Strict-Transport-Security HTTP Strict Transport Security is an excellent feature to support on your site and strengthens your implementation of TLS by getting the User Agent to enforce the use of HTTPS. Recommended value "strict-transport-security: max-age=31536000; includeSubdomains".
  • Content-Security-Policy Content Security Policy is an effective measure to protect your site from XSS attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets.
  • Public-Key-Pins HTTP Public Key Pinning protects your site from MiTM attacks using rogue X.509 certificates. By whitelisting only the identities that the browser should trust, your users are protected in the event a certificate authority is compromised.
  • X-Frame-Options X-Frame-Options tells the browser whether you want to allow your site to be framed or not. By preventing a browser from framing your site you can defend against attacks like clickjacking. Recommended value "x-frame-options: SAMEORIGIN".
  • X-XSS-Protection X-XSS-Protection sets the configuration for the cross-site scripting filter built into most browsers. Recommended value "X-XSS-Protection: 1; mode=block".
  • X-Content-Type-Options X-Content-Type-Options stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. This helps to reduce the danger of drive-by downloads. Recommended value "X-Content-Type-Options: nosniff".
@hpvd commented on February 18th 2016

regarding using "Public-Key-Pinning" one should be really careful and should at least pin more than one certificate.
If one make any failure in administration on could "loose" the domain.

For details see e.g. (sorry only german)
http://www.heise.de/forum/heise-Security/News-Kommentare/l-f-Web-Dienst-prueft-Praesenz-sicherheitsrelevanter-HTTP-Header/Certificate-Pinning/posting-24489362/show/

or https://community.letsencrypt.org/t/hpkp-best-practices-if-you-choose-to-implement/4625

@hpvd commented on February 18th 2016

another great test is this one:
https://www.ssllabs.com/ssltest/analyze.html?d=piwik.org
2016-02-18_15h19_29

https://www.ssllabs.com/ssltest/analyze.html?d=piwik.org&s=185.31.40.177
2016-02-18_15h18_07

https://www.ssllabs.com/ssltest/analyze.html?d=piwik.org&s=2a00%3ab6e0%3a1%3a200%3a177%3a0%3a0%3a1
2016-02-18_15h18_27

  • This server does not mitigate the CRIME attack. Grade capped to C.
  • Intermediate certificate has a weak signature. Upgrade to SHA2 as soon as possible to avoid browser warnings.
  • The server supports only older protocols, but not the current best TLS 1.2. Grade capped to C.
  • This server accepts RC4 cipher, but only with older protocol versions. Grade capped to B.
  • The server does not support Forward Secrecy with the reference browsers.
@mattab commented on February 14th 2017 Owner

We now have high SSL rating and other items don't seem so relevant.

This Issue was closed on February 14th 2017
Powered by GitHub Issue Mirror