Learn about Centmin Mod LEMP Stack today
Register Now

Implement securityheaders.com security?

Discussion in 'System Administration' started by menister, May 17, 2019.

Tags:
  1. menister

    menister New Member

    9
    3
    3
    May 17, 2019
    Ratings:
    +5
    Local Time:
    12:18 PM
    1.15.12
    10.3.15
    Hello,

    I have tested a couple of websites running with Centminmod on https://securityheaders.com and on a default install I get multiple red warnings, as you can see here:

    [​IMG]

    I was wondering if its possible to implement all the suggestions?
    And the other question is: Can I simply follow the steps shown on securityheaders to implement it on my own?

    Thanks!
     
  2. eva2000

    eva2000 Administrator Staff Member

    41,350
    9,279
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,236
    Local Time:
    8:18 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    HSTS header isn't enabled by default as improperly enabling it and not understanding implications of enabling HSTS headers can cause you to DOS attack your own site - denial of service. For example, if you enabled HSTS with max-age = 1yr with include subdomains, it means you're telling web browsers only allow HTTPS version of your site to be accessed to visitors for every domain and subdomain *.domain.com and make it valid and enforceable for 1yr. Removing the HSTS after enabling won't help, as it's permanently cached in a web browser unless visitor clears their HSTS cache.

    Any subdomain or any non-subdomain without HTTPS SSL certificate will be denied access to your site for that 1yr period. So if you only had intention to enable HTTPS for say domain.com, www.domain.com and blog.domain.com but no intention for HTTPS for say host.domain.com, but you enable HSTS with include subdomain option - then you won't be able to access host.domain.com for that full 1yr period and any visitors won't be able to either as it's HSTS flag is cached in each visitor's web browser and you can't clear it on web server or your end. You effectively have DOS attacked your own site and prevented every visitor from accessing non-HTTPS host.domain.com for that 1yr. Sure you can get visitors to clear their HSTS browser cache as outlined below. But how many are tech savy enough and how do you notify those visitors if they can't access host.domain.com ?

    So I leave HSTS add_headers commented out/disabled in Centmin Mod created nginx vhosts by default and let end users like yourself decide if they want to enable HSTS.

    Same goes with other security headers, they have an entry left commented out/disabled in nginx vhosts created by Centmin Mod. But they have their own similar implications and consequences for enabling which may affect how your web site functions so you'd need to know what these security headers do and there consequences.

    See Enabling HSTS for SSL for specifics
    As accessing host.domain.com is usually reserved for stats and admin pages the Centmin Mod LEMP stack owner only needs to access, you can just clear your web browser's HSTS record for the domain.com and host.domain.com so the web browser no longer redirects from HTTP to HTTPS. I posted a thread at SSL - How to clear HSTS browser cache | Centmin Mod Community specifically for this :)

    With that said, if you know what these security headers do and their consequences, enable them. I have for this forum https://securityheaders.com/?q=https://community.centminmod.com/&hide=on&followRedirects=on :)
     
    • Winner Winner x 1
  3. menister

    menister New Member

    9
    3
    3
    May 17, 2019
    Ratings:
    +5
    Local Time:
    12:18 PM
    1.15.12
    10.3.15
    Thank you very much eva!
     
    • Like Like x 1
  4. eva2000

    eva2000 Administrator Staff Member

    41,350
    9,279
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,236
    Local Time:
    8:18 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    You're welcome :)