Author Topic: CWP server lacking basic security headers / CSP  (Read 53 times)

0 Members and 1 Guest are viewing this topic.

CWP server lacking basic security headers / CSP
« on: February 09, 2018, 07:19:58 PM »
Looking at the headers from the CWP (apache) server with its exposure to the inet I am baffled, shocked even, that there are apparently not even basic security headers in places, such as:

Code: [Select]
x-content-type-options nosniff
x-download-options noopen
x-frame-options SAMEORIGIN
x-permitted-cross-domain-policies none
x-xss-protection 1; mode=block

Neither is any CSP (Content Security Policy) deployed...

It is also announcing that PHP is deployed with the corresponding version number, which could be suppressed in the PHP ini
X-Powered-By PHP/7.0.24

That leaves the CSP server open to a variety of attacks, e.g. cross scripting and CSS Exfil , and just deploying TLS is no cure to those.

I really would prefer that my server not being exposed to such attack surfaces by proxy of the CWP server. Whilst being in the position to harden any other services components on the server the CWP server is beyond such measures, unless starting to mess with its code and risking unattended consequence and instability.