Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
General Security Discussions
Hardening domain security testing tools and tips
Message
<blockquote data-quote="Jack Aubry" data-source="post: 778619" data-attributes="member: 76440"><p>Been hardening my domain security and here are some tools and tips to improve on this.</p><p></p><p><strong>Check you SSL Certificate </strong></p><p><a href="https://www.ssllabs.com/ssltest/" target="_blank">SSL Server Test (Powered by Qualys SSL Labs)</a></p><p></p><p>[ATTACH=full]202264[/ATTACH]</p><p>Assuming you got your SSL from a decent CA you will probably need to act on two aspects to get a A+ result here</p><p></p><p><strong>1) Change your Cipher suite preference/order at server conf file to disallow RC4 and favor strong modern Ciphers.</strong></p><p>I use Apache, so this is what I used on my domain: (this can also be done on Plesk as Additional Directives) (I don't use htaccess files)</p><p></p><p>SSLProtocol all -SSLv2 -SSLv3</p><p>SSLHonorCipherOrder on</p><p>SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"</p><p></p><p><strong>2) Submit you domain for inclusion in Chrome's HTTP Strict Transport Security (HSTS) preload list.</strong></p><p>IMPORTANT: if you will ONLY serve your site secure (https) and you are long term committed to this.</p><p></p><p>Go to the link below and read carefully before proceeding:</p><p><a href="https://hstspreload.org/" target="_blank">HSTS Preload List Submission</a></p><p></p><p>This is what I did on Apache server conf file (this can also be done as additional directives on Plesk)</p><p></p><p><em>Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"</em></p><p></p><p><em>It takes about 2 weeks to get preloaded after getting a green page on this.</em></p><p></p><p></p><p><strong>Another testing tool you can use to improve other aspects of your domain security is Mxtoolbox domain health.</strong></p><p></p><p><a href="https://mxtoolbox.com/domain" target="_blank">Domain Health Check - Online Domain Tools - Blacklist, Email, Website, DNS - MxToolBox</a></p><p></p><p>[ATTACH=full]202265[/ATTACH]</p><p>Follow tips until you get all tests passed, If you get stuck you may post here for advice.</p><p></p><p><strong>Other tips to strengthen domain site security is done by server response headers:</strong></p><p>Google each of the following lines before proceeding, this is what I use:</p><p></p><p>Header set X-XSS-Protection "1; mode=block"</p><p></p><p>Header set X-Content-Type-Options "nosniff"</p><p></p><p>Header always append X-Frame-Options SAMEORIGIN</p><p></p><p><strong>A nice online tool I use to quickly check my server response headers is: Redirect-Checker</strong></p><p></p><p>(This tool will also help you with HSTS if the HSTS submission complains about the order of your redirects)</p><p><a href="http://www.redirect-checker.org/" target="_blank">Redirect Checker | Check your Statuscode 301 vs 302</a></p><p></p><p>Hope it helps someone, took me a while to get A results on everything for my domain. Cheers!</p></blockquote><p></p>
[QUOTE="Jack Aubry, post: 778619, member: 76440"] Been hardening my domain security and here are some tools and tips to improve on this. [B]Check you SSL Certificate [/B] [URL='https://www.ssllabs.com/ssltest/']SSL Server Test (Powered by Qualys SSL Labs)[/URL] [ATTACH=full]202264[/ATTACH] Assuming you got your SSL from a decent CA you will probably need to act on two aspects to get a A+ result here [B]1) Change your Cipher suite preference/order at server conf file to disallow RC4 and favor strong modern Ciphers.[/B] I use Apache, so this is what I used on my domain: (this can also be done on Plesk as Additional Directives) (I don't use htaccess files) SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4" [B]2) Submit you domain for inclusion in Chrome's HTTP Strict Transport Security (HSTS) preload list.[/B] IMPORTANT: if you will ONLY serve your site secure (https) and you are long term committed to this. Go to the link below and read carefully before proceeding: [URL='https://hstspreload.org/']HSTS Preload List Submission[/URL] This is what I did on Apache server conf file (this can also be done as additional directives on Plesk) [I]Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"[/I] [I]It takes about 2 weeks to get preloaded after getting a green page on this.[/I] [B]Another testing tool you can use to improve other aspects of your domain security is Mxtoolbox domain health.[/B] [URL='https://mxtoolbox.com/domain']Domain Health Check - Online Domain Tools - Blacklist, Email, Website, DNS - MxToolBox[/URL] [ATTACH=full]202265[/ATTACH] Follow tips until you get all tests passed, If you get stuck you may post here for advice. [B]Other tips to strengthen domain site security is done by server response headers:[/B] Google each of the following lines before proceeding, this is what I use: Header set X-XSS-Protection "1; mode=block" Header set X-Content-Type-Options "nosniff" Header always append X-Frame-Options SAMEORIGIN [B]A nice online tool I use to quickly check my server response headers is: Redirect-Checker[/B] (This tool will also help you with HSTS if the HSTS submission complains about the order of your redirects) [URL='http://www.redirect-checker.org/']Redirect Checker | Check your Statuscode 301 vs 302[/URL] Hope it helps someone, took me a while to get A results on everything for my domain. Cheers! [/QUOTE]
Insert quotes…
Verification
Post reply
Top
