Author Topic: CWP server lacking basic security headers / CSP  (Read 266 times)

0 Members and 1 Guest are viewing this topic.

Offline
****
CWP server lacking basic security headers / CSP
« on: February 09, 2018, 07:19:58 PM »
Looking at the headers from the CWP (apache) server with its exposure to the inet I am baffled, shocked even, that there are apparently not even basic security headers in places, such as:

Code: [Select]
x-content-type-options nosniff
x-download-options noopen
x-frame-options SAMEORIGIN
x-permitted-cross-domain-policies none
x-xss-protection 1; mode=block

Neither is any CSP (Content Security Policy) deployed...

It is also announcing that PHP is deployed with the corresponding version number, which could be suppressed in the PHP ini
Quote
X-Powered-By PHP/7.0.24

That leaves the CSP server open to a variety of attacks, e.g. cross scripting and CSS Exfil , and just deploying TLS is no cure to those.

I really would prefer that my server not being exposed to such attack surfaces by proxy of the CWP server. Whilst being in the position to harden any other services components on the server the CWP server is beyond such measures, unless starting to mess with its code and risking unattended consequence and instability.

Offline
*
Re: CWP server lacking basic security headers / CSP
« Reply #1 on: Today at 05:56:04 AM »
Hi my CWP server is using standard basic security headers (that only I need). Simply you can paste into your httpd.conf file.

Backup httpd.conf
Code: [Select]
cp -p /usr/local/apache/conf/httpd.conf /usr/local/apache/conf/httpd.conf_bak
Adding some syntax
Code: [Select]
vi /usr/local/apache/conf/httpd.conf
Just add these additional lines at the end of lines of your httpd.conf and restart apache to take effects.

Code: [Select]
ServerTokens Prod
ServerSignature Off

FileETag None

Header always append X-Frame-Options SAMEORIGIN

Header set X-XSS-Protection "1; mode=block"

Timeout 90

LoadModule headers_module modules/mod_headers.so
Header set X-Content-Type-Options nosniff

Header set Content-Security-Policy "default-src 'self';"

You can test and see if those lines is working for you.