Skip to content

secure header report and best practices config for Apache, Nginx, lighttpd, Cloudflare, netlify

License

Notifications You must be signed in to change notification settings

benyaminsalimi/Secure-Headers

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

29 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Secure-Headers

secure header report and best practices config for Apache, Nginx, lighttpd, Cloudflare, netlify

attention : This repository is not ready to use, im trying to get it ready my free time

Pull requests are always welcome :)

why secure header

I suggest you don't copy past config from this repo, especially if you have a custom web application our example may break your software. read these articles first

Header scanner

report script

python report.py -h #for help
python report.py -u <url> -o <Output Filename> -l <Target List Filename>
python report.py -u https://facebook.com -o FBreport # for check one site
python report.py -l input.text -o report #for list input
python report.py -l input.text -o report #for list input

best practices

how to add header to Apache, nginx, lighttpd

  • X-Frame-Options

    • apache

    Header set X-Frame-Options "DENY"

    • nginx

    add_header X-Frame-Options "DENY";

    • lighttpd

    setenv.add-response-header = ("X-Frame-Options" => "DENY",)

  • X-XSS-Protection

    • apache

    Header set X-XSS-Protection "1; mode=block"

    • nginx

    add_header X-XSS-Protection "1;mode=block";

    • lighttpd

    setenv.add-response-header = ("X-XSS-Protection" => "1; mode=block",)

  • X-Content-Type-Options

    • apache

    Header set X-Content-Type-Options "nosniff"

    • nginx

    add_header X-Content-Type-Options "nosniff";

    • lighttpd

    setenv.add-response-header = ("X-Content-Type-Options" => "nosniff",)

  • Content-Security-Policy

    Header set Content-Security-Policy "script-src 'self'; object-src 'self'"

    • nginx

    add_header Content-Security-Policy "script-src 'self'; object-src 'self'";

    • lighttpd

    setenv.add-response-header = ("Content-Security-Policy" => "script-src 'self'; object-src 'self'",)

  • Strict-Transport-Security

    Header always set Strict-Transport-Security "max-age=15768000; includeSubdomains"

    • nginx :

    add_header Strict-Transport-Security "max-age=15768000; includeSubdomains";

    • lighttpd :

    setenv.add-response-header = ("Strict-Transport-Security" => "max-age=15768000; includeSubdomains",)

  • Referrer-Policy

    • apache

    Header set Referrer-Policy "no-referrer"

    • nginx

    add_header Referrer-Policy "no-referrer";

    • lighttpd

    setenv.add-response-header = ("Referrer-Policy" => "no-referrer",)

  • Feature-Policy

    • apache

    Header set Feature-Policy "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'"

    • nginx

    add_header Feature-Policy "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'";

    • lighttpd

    setenv.add-response-header = ("Feature-Policy" => "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'",)

optional

  • Clear-Site-Data
    • apache : Edit your apache configuration file and add the following to your VirtualHost.

    Header set Clear-Site-Data "cache"

    • nginx : Add snippet below into configuration file to send X-Frame-Options header.

    add_header Clear-Site-Data "cache";

    • lighttpd : Add snippet below into configuration file to send X-Frame-Options header.

    setenv.add-response-header = ("Clear-Site-Data" => " cache ",)

best practices example config

SSL

TODO

  • add netlify.com secure headers best practice
  • add Cloudflare Workers custom headers config and best practice
  • add lighttpd and apache secure config.
  • add CVS export to report script
  • add secure header suggestions to report script
  • add web server config generation to report script
  • add simple intro document for explain secure header in human language
  • add persian document!(اگه کسی خواست)