Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Better configure the site for improved security #10

Open
hnarayanan opened this issue Mar 15, 2016 · 5 comments
Open

Better configure the site for improved security #10

hnarayanan opened this issue Mar 15, 2016 · 5 comments
Assignees
@hnarayanan
Labels
enhancement

Comments

@hnarayanan
Copy link
Owner

Particularly to improve the site's rating at: https://securityheaders.io
@hnarayanan hnarayanan self-assigned this Mar 15, 2016
@hnarayanan
Copy link
Owner Author

https://diogomonica.com/2015/12/29/from-double-f-to-double-a/
https://sethvargo.com/getting-an-a-plus-on-qualys-ssl-labs-tester/

@hnarayanan
Copy link
Owner Author 

server {
    ssl_session_tickets off;
}

@hnarayanan
Copy link
Owner Author

https://scotthelme.co.uk/hpkp-http-public-key-pinning/

@hnarayanan
Copy link
Owner Author

Improve the security of the certificates generated by Let's Encrypt:

security:
  Security parameters & server settings

  --rsa-key-size N      Size of the RSA key. (default: 2048)
  --must-staple         Adds the OCSP Must Staple extension to the
                        certificate. Autoconfigures OCSP Stapling for
                        supported setups (Apache version >= 2.3.3 ). (default:
                        False)
  --redirect            Automatically redirect all HTTP traffic to HTTPS for
                        the newly authenticated vhost. (default: Ask)
  --no-redirect         Do not automatically redirect all HTTP traffic to
                        HTTPS for the newly authenticated vhost. (default:
                        Ask)
  --hsts                Add the Strict-Transport-Security header to every HTTP
                        response. Forcing browser to always use SSL for the
                        domain. Defends against SSL Stripping. (default:
                        False)
  --uir                 Add the "Content-Security-Policy: upgrade-insecure-
                        requests" header to every HTTP response. Forcing the
                        browser to use https:// for every http:// resource.
                        (default: None)
  --staple-ocsp         Enables OCSP Stapling. A valid OCSP response is
                        stapled to the certificate that the server offers
                        during TLS. (default: None)
  --strict-permissions  Require that all configuration files are owned by the
                        current user; only needed if your config is somewhere
                        unsafe like /tmp/ (default: False)

@hnarayanan hnarayanan changed the title Improve nginx security configuration Better configure the site for improved security Oct 15, 2017
@hnarayanan
Copy link
Owner Author

  • Consider making the nginx configuration more DRY by re-using a generated snippet from Let's Encrypt: options-ssl-nginx.conf

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hnarayanan hnarayanan

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@hnarayanan