With the growing use of cloud technologies by companies and individuals, it is becoming ever important to understand and implement enhanced security measures for serving web content. This is necessary to not only protect yourself and your companies intellectual property, but your users and their data as well. In this post, we will look at some of the common best practices and tools to keep your website safe from the newest vulnerabilities and attack surfaces. In doing so, you will enjoy peace of mind that your content is optimized to deliver the best experience possible.
HTTPS - Use it, Enforce it
HTTPS, or HTTP over TLS, enables an encrypted connection between a client and the remote server. The security benefits are that any data transferred over the bidirectional connection will not be vulnerable to snooping or man in the middle attacks. Enabling website encryption is required for proper PCI compliance of a company. So depending on the data you are collecting from users, you must enable encryption to be up to code with regulations in your place of residence.
It's Never Been Easier
Setting up TLS, or SSL as known by its predecessor, has never been easier as many automated solutions exist for managing and auto-renewing certificates. For example, Let's Encrypt, AWS Certificate Manager, and offerings from Cloudflare exist to help manage the creation of certificates for you automatically.
There are secondary benefits to using HTTPS as well. Google has announced that secure websites will receive higher page rank than their insecure counterparts. Your site will receive less traffic, will be trusted less, and will be referred to less compared with similar sites with end-to-end encryption enforced. As a marketing agency, your content will be diminished by not using encryption as web security is a prominent factor in determining SEO.
In addition, with the advent of HTTP2 in which all browsers requires SSL to be enabled to use, there are now performance benefits for enabling encryption. HTTP2 offers multiplexing of connections to offer faster and more efficient load times compared with version one of HTTP.
Web Server Encryption
Some encryption is stronger than others. As computational power increases, a need for better encryption techniques has presented itself. In this section, we will look at tools and methods for making sure your website is up to date with the latest encryption ciphers and algorithms.
Cipher suites are the algorithms which are used during initial communication and play a vital role in the overall ranking of strength of encryption. As such, it is important to always update the libraries and processes used for web hosting, such as Nginx and OpenSSL, in order to take advantage of newer algorithms.
A web server can decide which ciphers to allow communication using in its configuration. That being said, a balance must be struck between allowing less strong ciphers as not all browsers and platforms support the latest and greatest techniques. Security/Server Side TLS by Mozilla is a great article on cipher suites and which to choose based on compatibility with different browsers and devices.
A modern profile might consider the follow:
Ciphersuites: ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 Versions: TLSv1.2 TLS curves: prime256v1, secp384r1, secp521r1 Certificate type: ECDSA Certificate curve: prime256v1, secp384r1, secp521r1 Certificate signature: sha256WithRSAEncryption, ecdsa-with-SHA256, ecdsa-with-SHA384, ecdsa-with-SHA512 RSA key size: 2048 (if not ecdsa) DH Parameter size: None (disabled entirely) ECDH Parameter size: 256 HSTS: max-age=15768000 Certificate switching: None
End-to-end encryption using TLS allows a secure channel between the user and server, but how do we ensure that the content and third party included on our website are what we expect? In this section we will look at more advanced techniques to ensure content injection and hijacking does not take place on our web services.
There exists a subset of HTTP headers a web administrator can use to help prevent unauthorized usage of web content. These headers are used by the browser to hint at what is to be expected on a website and any deviation of the rules should not be loaded. In this section, we will look at these headers and how they can be used to help secure your website.
Content Security Policy
The Content-Security-Policy header can be used to prevent Cross-Site Scripting attacks. These attacks inject external scripts or pages onto your site in order to gather sensitive information from users. The CSP header allows defining where content, images, and scripts should be allowed to load from on a given webpage. In addition, a uri can be defined so that any violations will be reported to the operator.
Content-Security-Policy: default-src 'self'; report-uri http://reportcollector.example.com/collector.cgi
The X-Frame-Options header is used to determine whether your webpage can be embedded in another webpage. A common phishing technique is to use an iframe to load another website within the parent. Thus making it look like another website allowing the attacker to gather sensitive information. This header will tell a browser which domains are allowed to embed or not allow it at all.
X-Frame-Options: allow-from https://example.com/
The X-XSS-Protection header is similar to Content Security Policy which helps prevent cross-site attacks. It determines what actions to do when an attack is found from the context of a web browser.
X-XSS-Protection: 1; mode=block
The Referrer-Policy header can be used to restrict what information is sent from a browser when leaving your website. A web browser will include the full url of the website it had just visited prior to navigating to any other page on the web. With this header, you can ask to restrict the conditions and values the browser should send this information.
Online Domain Analyzers and Tools
The following tools are invaluable for a web hosting platform to check the ranking and correctness of the security being used.
- The SSLLabs analyzer offers an extensive free utility to test the encryption rating of a domain.
- The Security Headers analyzer can be used to verify a domains usage of HTTP security headers.
- Mozilla SSL Configuration Generator can be used to generate configuration based on several profiles of browser support for many different web servers.
- SSLShopper ssl checker is a utility which checks the correctness of ordering of a domains certificate chain.
- Sectigo crt.sh provides a way of historically searching for certificates provided by certificate authorities.
The final security attribute we will talk about today is the Subresource Integrity. This HTML attribute allows us to provide a hash on certain HTML elements, such as script and style tags. Doing so will tell the browser that the content loaded from the resource should match what is expected on the page. Any deviation will prevent the browser from including the content on the page thus adding an additional layer of protection for our users.
<script src="https://example.com/example-framework.js" integrity="sha384-Li9vy3DqF8tnTXuiaAJuML3ky+er10rcgNR/VqsVpcw+ThHmYcwiB1pbOxEbzJr7" crossorigin="anonymous"></script>
Hopefully now we have learned how to make our website more secure and our users safer. There is a sense in pride when using the above tools and all of the validation tests have turned green showing our success. Even if our users are none the wiser, we can pat ourselves on the back knowing that we are taking the right steps to making the internet a safer place.