Website Security Analysis & Testing Tools
#11
@deanhills you can check the following article for the last three points: https://www.keycdn.com/blog/http-security-headers

Usually includes ways to enable them on Apache and Nginx. Other web servers... well they're not so common so you have to use Google.

For IIS on Windows (with screenshots): https://scotthelme.co.uk/hardening-your-...e-headers/


Basically you have to add the code from the articles into the vHost configuration of your website and then restart the web server or reload it. Not really more. Super simply on Nginx atleast.

CSP is a way to tell browsers from where content on the site should be allowed to be loaded and from where not. This way you can prevent that content such as CSS/Javascript and similar is loaded from sources that you don't trust. You have to be careful though. Wrong rules will destroy the site because they usually prevent loading of necessary theme files and Javascripts. It is a bit tricky to setup CSP and you have to keep it up to date when you add resources from additional sources/sites.

This site also explains how it works, what to do and so on with different web servers: https://content-security-policy.com/
#12
Thanks @HR. That keycdn blog article is a gem. I just glanced through it, and it's written in my novice language - I'll go through it in big detail tomorrow. Now it sounds doable. I've got both Apache and Nginx. I'm also going to check the VestaCP Panel Forum tomorrow just in case there are some docs lurking around there.

What makes it particularly clumsy is that I'm not the author of the script - like it's all WordPress and probably the VestaCP Panel. But there's always a way - so if I can wrap my brain cells around the basics, I'm sure it will lead me to a solution. Many thanks for the help and also this thread.




Users browsing this thread: 1 Guest(s)