Thank you for your useful information.
I checked my server with "https://securityheaders.com/" and result is:
https://i.postimg.cc/SsBBtRsT/Header.png
To solve the Content Security Policy, I added below line to "httpd.conf":
Header set Content-Security-Policy "default-src 'self';"
But after it my web site style messed up! Why?
How about "Permissions-Policy" ?
On Monday, February 8, 2021, 04:58:11 PM GMT+3:30, Dino Ciuffetti <dino@xxxxxxxxx> wrote:
> Hello,
> I scanned my Apache web server and below Vulnerabilities discovered:
There are many ways of solving those vulnerabilities. Most of them can be fixed patching your
applications.
As rule of thumb, your application should:
- not use frames or iframes at all
- use only HTTPS everywhere, always redirect HTTP to HTTPS
- disable anything you don't need (eg mod_perl, mod_php, etc)
- enable Strict-Transport-Security to force all traffic to HTTPS with no failback to HTTP
- don't use cookies if possible, or setup your cookies with those attributes: secure; HostOnly; HttpOnly;
SameSite=Lax
- CSP, Anti-CSRF Tokens and Cache-control headers and frameworks should be setted directly by your application and not from apache, if possible
Please consider that enabling one or more countermeasures via configuration file in httpd could make your applications stop working properly if they are not designed accordingly! Please double check any of them and test them in your staging environment before setting them live for production.
Also you should be well confident in all of them before running live, or strange things will happen to your applications and your live debug will be difficult.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx