Web Security(draft)

Last Updated:

List of browser and server security tools, technologies, and techniques.

Browser Controls

Content-Security-Policy

From Mozilla’s Content-Security-Policy Response Header document:

The HTTP Content-Security-Policy response header allows web site administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints. This helps guard against cross-site scripting attacks (XSS).

the following policy for this website: nginx configuration:

add_header Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; img-src 'self'; style-src 'self' 'unsa    fe-inline'; font-src 'self'; form-action 'none'; frame-src https://www.youtube.com; frame-ancestors 'none'"; base-uri 'none';

Referrer-Policy

The Referrer Policy tells the browser when it should send the Referer request header to other sites. This tells the other site the the person visiting that site has just come from your site. You can improve privacy by telling the browser not to do this.

nginx configuration:

add_header Referrer-Policy "no-referrer";

X-Content-Type-Options

The X-Content-Type-Options response header can be used to tell the browser to opt out of MIME sniffing, a technique that is unnecessary if content types are configured properly.

nginx configuration:

add_header X-Content-Type-Options "nosniff";

Let’s Encrypt

Let’s Encrypt is a free, automated, and open Certificate Authority. Use can use it to get a free TLS certificate for your website.

Let’s Encrypt issues short lived certificates that are intended to be automatically renewed. One of the methods for automating this is via certbot.

Tools

openssl s_client

OpenSSL’s s_client command can be used to inspect the TLS configuration of a server from a clients point of view.

Connect to a server, optionally specifying the version of the TLS protocol you’d like to use:

openssl s_client -connect dougrichardson.org:443
openssl s_client -connect dougrichardson.org:443 -tls1
openssl s_client -connect dougrichardson.org:443 -tls1_1
openssl s_client -connect dougrichardson.org:443 -tls1_2
openssl s_client -connect dougrichardson.org:443 -tls1_3

References