Jan 5th, 2023
Web Server Security Test
In my personal, professional blog, I wanted to make sure that my nginx webserver was secure. To do this, I ran a security test from immuniweb, found here. I found several vulnerabilities that needed to be improved upon, including issues with my website's GDPR compliance, PCI DSS compliance, and HTTP headers security.
GDPR Compliance Test
To fix the GDPR compliance issues, I added a privacy policy html page and inserted it into the footers of all my pages. I also made sure to outline that we do not collect personally identifiable information or use cookies.
PCI DSS Compliance Test
In the PCI DSS Compliance Test, it was noted that my website's CMS could not be reliably fingerprinted and that I should make sure it is up to date. Additionally, it was recommended that I implement a web application firewall (WAF) to protect against common web attacks.
Although my website does not use a web-based content management system, I am currently using UFW as a firewall. However, I am planning on setting up a VLAN with an openBSD server to act as my WAF in order to further improve the security of my website. Ensuring that my website is compliant with PCI DSS standards and has a strong firewall is an important step in protecting it against potential threats.
HTTP Headers Security Test
In the HTTP Headers Security Test, it was recommended that I implement strict-transport-security, X-Frame-Options, and X-Content-Type-Options to improve the security of my website.
To fix strict-transport-security, I added the following code to my nginx config located at /etc/nginx/nginx.conf to enable STS for HTTP:
add_header Strict-Transport-Security "max-age=31536000;
includeSubDomains" always;
location / { root /usr/share/nginx/html; }
location /servlet {
add_header X-Served-By "My Servlet Handler";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
proxy_pass http://localhost:8080;
}
This included adding a header for strict-transport-security to the location block in my config and redeclaring it in a second location block.
To fix the X-Frame-Option, I added the following code to /etc/nginx/sites-available/default to hide the header: proxy_hide_header X-Frame-Options;
To fix X-Content-Type-Options, I added the following code for X-Content-Type-Options to my nginx config located at /etc/nginx/nginx.conf with a value of "nosniff": add_header X-Content-Type-Options "nosniff";
Enabling these HTTP headers helps to protect my website and its users against potential threats and improve overall security.
Content Security Policy Test
In the Content Security Policy Test, it was noted that the CONTENT-SECURITY-POLICY and CONTENT-SECURITY-POLICY-REPORT-ONLY headers were not being sent by the server.
To fix this issue, I added the following code to /etc/nginx/nginx.conf to enable the Content Security Policy (CSP) for my website: add_header Content-Security-Policy "default-src 'self';" always;
Implementing a CSP helps to protect my website and its users from potential threats by defining a set of rules for the browser to follow when loading resources. This helps to prevent malicious attacks such as cross-site scripting and clickjacking. Ensuring that my website has a strong CSP is an important step in improving its overall security.
In this blog post, I discussed the steps I took to improve the security of my nginx webserver. This included fixing vulnerabilities related to GDPR compliance, PCI DSS compliance, HTTP headers security, and Content Security Policy. By taking these steps, I was able to better protect my website and its users against potential threats and improve its overall security. It is important for all website owners to take steps to ensure the security of their websites and protect their users.