Jack Aubry

Level 1
Been hardening my domain security and here are some tools and tips to improve on this.

Check you SSL Certificate
SSL Server Test (Powered by Qualys SSL Labs)

ssl.png

Assuming you got your SSL from a decent CA you will probably need to act on two aspects to get a A+ result here

1) Change your Cipher suite preference/order at server conf file to disallow RC4 and favor strong modern Ciphers.
I use Apache, so this is what I used on my domain: (this can also be done on Plesk as Additional Directives) (I don't use htaccess files)

SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"

2) Submit you domain for inclusion in Chrome's HTTP Strict Transport Security (HSTS) preload list.
IMPORTANT: if you will ONLY serve your site secure (https) and you are long term committed to this.

Go to the link below and read carefully before proceeding:
HSTS Preload List Submission

This is what I did on Apache server conf file (this can also be done as additional directives on Plesk)

Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"

It takes about 2 weeks to get preloaded after getting a green page on this.


Another testing tool you can use to improve other aspects of your domain security is Mxtoolbox domain health.

Domain Health Check - Online Domain Tools - Blacklist, Email, Website, DNS - MxToolBox

domainhealth.jpg

Follow tips until you get all tests passed, If you get stuck you may post here for advice.

Other tips to strengthen domain site security is done by server response headers:
Google each of the following lines before proceeding, this is what I use:

Header set X-XSS-Protection "1; mode=block"

Header set X-Content-Type-Options "nosniff"

Header always append X-Frame-Options SAMEORIGIN

A nice online tool I use to quickly check my server response headers is: Redirect-Checker

(This tool will also help you with HSTS if the HSTS submission complains about the order of your redirects)
Redirect Checker | Check your Statuscode 301 vs 302

Hope it helps someone, took me a while to get A results on everything for my domain. Cheers!
 
Last edited:
  • Like
Reactions: harlan4096