Posts

Strengthening Your Web Apps: A Guide to HTTP Security Headers

Image
  There is a certain set of standard HTTP headers that every website should ideally set to provide a basic level of security. This note discusses such headers and how to set them on sites deployed in Netlify. Common security headers First, let’s consider basic HTTP headers - they are common to all requests and provide a basic level of security. The Content-Security-Policy header helps protect your website from cross-site scripting attacks by providing a list of approved content. This header allows you to prohibit the use of content that does not pass the rules or should not be used as content. Setting this header may seem complicated, so if you want to delve into the topic, visit the official website. Example usage: Content-Security-Policy: default-src 'https://example.com'; script-src 'unsafe-inline' 'https://example.com'; style-src 'unsafe-inline' 'https://example.com'; object-src 'none' The X-Frame-Options header tells the brow

vim /etc/apache2/sites-enabled/default-ssl.conf

Image
  Apache base virtual host file, default ssl conf file. Vim  /etc/apache2/sites-enabled/default-ssl.conf : <IfModule mod_ssl.c >     <VirtualHost  xxx.xx.xxx.xxx:443 >         ServerName jobsite.com         ServerAlias *.jobsite.com         LogLevel debug         ErrorLog /var/log/apache2/jobsite_com_error.log         CustomLog /var/log/apache2/jobsite_com_custom.log combined         SSLEngine on         SSLCertificateFile /etc/ssl/jobsite_com/jobsite_com.crt         SSLCertificateKeyFile /etc/ssl/jobsite_com/jobsite_com.key         # SSLCertificateChainFile /etc/ssl/jobsite_com/intermediate.crt         RewriteEngine On         RewriteCond %{HTTPS} off [OR]         RewriteCond %{HTTP_HOST} ^jobsite\.com [NC,OR]         RewriteCond %{SERVER_NAME} xxx.xx.xxx.xxx         RewriteRule /(.*) https://www.jobsite.com/$1 [R=301,L]         RewriteCond %{HTTPS} off         RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]         LimitRequestBody 31457