Improvements after Mozilla’s Observatory results
Mozilla made their Observatory service public, which lets you check the security of sites. A first run resulted in an F
for sebadorn.de
. Following some of the suggestions I could improve that to a B-
.
1. Redirect HTTP to HTTPS
Thanks to Let’s Encrypt I already offered HTTPS, but I didn't enforce it. Now visitors to http://sebadorn.de
are redirected to https://sebadorn.de
. I did so by adding the following rule to my .htaccess
file:
<IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTP_HOST} ^sebadorn\.de [NC] RewriteCond %{SERVER_PORT} 80 RewriteRule ^(.*)$ https://sebadorn.de/$1 [R,L] </IfModule>
2. Add some more headers
<IfModule mod_headers.c> Header always edit Set-Cookie (.*) "$1; HttpOnly; Secure" Header set Content-Security-Policy "frame-ancestors 'self'" Header set X-Content-Type-Options "nosniff" Header set X-Frame-Options "SAMEORIGIN" Header set X-XSS-Protection "1; mode=block" </IfModule>
- Set-Cookie
- Cookies about to be set received additional directives: HttpOnly and Secure. HttpOnly disallows cookies being read by JavaScript and Secure enforces an HTTPS connection. (Source)
- X-Content-Type-Options
- Setting this header to nosniff tells browsers not to try and guess the MIME type of contents, which potentially prevents XSS attacks. (Source)
- X-Frame-Options
- Setting this header to SAMEORIGIN or DENY prevents other pages from displaying the site in a frame which prevents clickjacking. (Source)
- X-XSS-Protection
- Setting this header to 1; mode=block tells browsers to try and detect XSS attacks and in this case stop loading the page. (Source)
Comments
Thanks again for the helpful post, and feel free to let us know if you have any feedback or questions!