-----Original Message----- From: Eric Covener <covener@xxxxxxxxx> Sent: 08 February 2021 13:13 To: users@xxxxxxxxxxxxxxxx Subject: Re: Which parameters must be set to solve these Vulnerabilities? [EXT] On Mon, Feb 8, 2021 at 6:24 AM Jason Long <hack3rcon@xxxxxxxxx.invalid> wrote: > > Hello, > I scanned my Apache web server and below Vulnerabilities discovered: > > 1- Content Security Policy (CSP) Header Not Set Read up about these and set an appropriate header > 2- HTTP to HTTPS Insecure Transition in Form Post Make sure you don't actively have an http:// request.... use HSTS headers.... > 3- Reverse Tabnabbing Set rel=noopener > 4- Source Code Disclosure - PHP Make sure you make all PHP code be executed by php handler and make sure you have got full PHP tags (<?php ) - rather then the short tab '<? ' Don't log errors to browser > 5- Source Code Disclosure - Perl Don't put perl in your htdocs directory - keep it outside Don't log errors to browser > 6- Sub Resource Integrity Attribute Missing See 10 > 7- Absence of Anti-CSRF Tokens Look at form code - you need to set a cookie and a hidden field in the form > 8- Cookie No HttpOnly Flag Add this to your cookie creation statement (note there may be some cases where it is impossible to set this - if you want the client to see this!) > 9- Cookie Without SameSite Attribute Add this to your cookie creation statement (note there may be some cases where it is impossible to set this - if you want the client to see this!) and specify exactly which sub-domain gets the cookie not .mydomain.com but server.mydomain.com > 10- Cross-Domain JavaScript Source File Inclusion Don't if you do - look at CSP and set "integrity" or only allow from certain sites... > 11- Incomplete or No Cache-control and Pragma HTTP Header Set Again look this up - there may be reasons why this isn't set - e.g. > 12- Insufficient Site Isolation Against Spectre Vulnerability Look at CORS > 13- Strict-Transport-Security Header Not Set Just set it again read docs... > > I'm thankful if anyone tell me which parameters and headers must be set and enable in the Apache configuration. I suggest searching the web for existing explanations/resources. You will also need to address most of these with an understanding of your content. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx -- The Wellcome Sanger Institute is operated by Genome Research Limited, a charity registered in England with number 1021457 and a company registered in England with number 2742969, whose registered office is 215 Euston Road, London, NW1 2BE. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|