What a great site! It consolidates weak servers for hackers to find easier.
On Mon, Feb 8, 2021 at 11:00 AM Jason Long <hack3r...@yahoo.com.invalid> wrote: > Thank you for your useful information. > I checked my server with "https://securityheaders.com/"; and result is: > https://i.postimg.cc/SsBBtRsT/Header.png > > To solve the Content Security Policy, I added below line to "httpd.conf": > Header set Content-Security-Policy "default-src 'self';" > > But after it my web site style messed up! Why? > How about "Permissions-Policy" ? > > > > > > > On Monday, February 8, 2021, 04:58:11 PM GMT+3:30, Dino Ciuffetti < > d...@tuxweb.it> wrote: > > > > > > > Hello, > > I scanned my Apache web server and below Vulnerabilities discovered: > > > There are many ways of solving those vulnerabilities. Most of them can be > fixed patching your > applications. > > As rule of thumb, your application should: > - not use frames or iframes at all > - use only HTTPS everywhere, always redirect HTTP to HTTPS > - disable anything you don't need (eg mod_perl, mod_php, etc) > - enable Strict-Transport-Security to force all traffic to HTTPS with no > failback to HTTP > - don't use cookies if possible, or setup your cookies with those > attributes: secure; HostOnly; HttpOnly; > SameSite=Lax > - CSP, Anti-CSRF Tokens and Cache-control headers and frameworks should be > setted directly by your application and not from apache, if possible > > Please consider that enabling one or more countermeasures via > configuration file in httpd could make your applications stop working > properly if they are not designed accordingly! Please double check any of > them and test them in your staging environment before setting them live for > production. > > Also you should be well confident in all of them before running live, or > strange things will happen to your applications and your live debug will be > difficult. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > >
