How to Get A+ with ImmuniWeb Website Security Test

Key Dutch
Key Dutch
Mar 26 · 7 min read

Among dozens of website security tests, the one from ImmuniWeb really stands out. First of all, in terms of functionality, it leaves the competitors far behind. And yes, it is absolutely free. Today we will tell you how this tool tests your site for security and, most importantly, how to get the highest A+ security rating for your website.

Paypal got A+. Very secure online payment.

ImmuniWeb Website Security Test is an online tool that allows you to ensure that your web application environment is properly secured. It performs a series of non-intrusive tests that check if your web server configuration follows the best security practices and meets compliance requirements for PCI DSS and GDPR.

This website security test will help system administrators and website developers to launch secure web applications. It checks the configuration of your web server, analyzes your web application firewall (if any) and content management system, its configuration and deployment. In the result rates its security from F (lowest) to A+ (highest).

So let’s have a look at how ImmuniWeb tests website security and what measures you should take to obtain the highest possible A+ security rating.

Web Server Configuration

Configuration of your web server is as important as having your CMS up to date. Properly set HTTP headers can help protect your CMS against a variety of attacks, including zero-day vulnerabilities in your web applications.

HTTP Methods

Web application relies on HTTP methods when processing user-supplied input data. It is recommended to allow only methods that are used by your web application. Also, a web server may expose sensitive information via HEAD, OPTIONS, TRACE, and TRACK methods that should be also disabled if not used by the web application.

HTTP Response Headers

There is a number of HTTP response headers that can improve the overall security of your web application, protecting your users from XSS, CSRF, and clickjacking attacks. Just by properly configuring your server it is possible to mitigate these security issues even if they exist in the web application.

HTTP headers analysis

ImmuniWeb Website Security Test checks for the following HTTP response headers:

Server
A default server header that advertises a web server. It is recommended to totally remove this header from your server response. If for some reason this is impossible, then at least the software version should be hidden.

Strict-Transport-Security (also known as HSTS)
This header ensures that the website is accessible over HTTS and HSTS is applied.

X-Frame-Options
The X-Frame-Options header instructs the user’s browser whether the website can be loaded into a frame, iframe, embedded or object HTML tags. This browser feature may allow an attacker to perform a clickjacking attack by loading the contents of your website on a third-party domain.

X-Powered-By
A header that displays the current version of supported technology or content management system. It is advised to always remove this response header.

X-Content-Type-Options
This header instructs the client’s browser on how to treat content, shipped by the webserver based on its MIME type and blocks requests with to files with dangerous MIME types.

X-XSS-Protection
This header as it says in its name is aimed to protect your website visitors against cross-site scripting vulnerabilities that might be present in your web application.

X-AspNet-Version
Reports ASP.NET version in use. Applicable only to a web server that serves ASP.NET content.

Content-Security-Policy (also known as CSP)
CSP is an additional security layer that prevents certain types of attacks, such as XSS and data injections by instructing the browser from which sources the website content is allowed to be loaded.

Expect-CT
This HTTP response header helps to prevent the usage of wrong certificates.

Referrer-Policy
This header controls the volume of information shared via the Referrer HTTP header.

Feature-Policy
This header instructs a browser on the usage of browser features in its own frame/iframe.

Web Application Firewall

Web application firewall must be installed and configured to block malicious requests. There are many WAF vendors and SaaS solutions that can help you protect your web application against malicious activities.

WAF presence

Below is a list of 10 most popular Web Application Firewall vendors with links to configuration instructions:

  1. Amazon
  2. Azure
  3. Barracuda
  4. Google Cloud Armor
  5. Cloudflare
  6. F5 Networks
  7. Fortinet
  8. Imperva
  9. ModeSecurity
  10. Qualys

Note, if your WAF is not blocking malicious requests, it will not be detected by Website security test.

Hardening Microsoft IIS

Configuring HTTP methods

When configuring Microsoft IIS, you have to remember that the web server does not allow you to whitelist the necessary methods only. The server configuration logic allows you to list all methods and precisely allows or denies them. An example of good configuration would look something like this in the Request Filtering feature:

Configuring HTTP Response headers

To configure HTTP response headers in Microsoft IIS, the HTTP Response Headers feature is used.

Hardening nginx

Configuring HTTP methods

For nginx it is possible to use the following configuration to allow only certain HTTP GET and HTTP POST methods:

if ($request_method !~ ^(GET|POST)$ )
{
return 405;
}

Configuring HTTP Response headers

add_header Content-Security-Policy "default-src 'self';";
add_header Strict-Transport-Security "max-age=31536000";
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
add_header Referrer-Policy 'strict-origin';
add_header Feature-Policy "microphone 'none'; geolocation 'none'";
add_header Expect-CT "max-age=86400";
add_header Referrer-Policy 'strict-origin';

Hardening Apache HTTP Server

Configuring HTTP methods

The following rewrite rule can ensure that only HTTP GET and HTTP POST methods are allowed:

RewriteEngine On
RewriteCond %{REQUEST_METHOD} !^GET [AND]
RewriteCond %{REQUEST_METHOD} !^POST
RewriteRule .* /yourerrordocuments/405.html [R=405,L]

Configuring HTTP Response headers

Notes, Apache HTTP server requires a separate module to work with headers. Therefore, it is important to load it before writing any rules.

#Loading headers module
LoadModuleheaders_module modules/mod_headers.so
Header set Content-Security-Policy "default-src 'self';"
Header set Strict-Transport-Security "max-age=31536000"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options "nosniff"
Header set Referrer-Policy 'strict-origin'
Header set Feature-Policy "microphone 'none'; geolocation 'none'"
Header set Expect-CT "max-age=86400"
Header set Referrer-Policy 'strict-origin'

Web Application Configuration

Having a securely configured web server is not enough to protect your website from hackers. There are certain important requirements for your content management system:

Using the Latest Software Versions

Your web application must be always up to date. This means that your content management system and all its components should be running the latest stable software version. Most popular content management systems have a built-in feature that allows users to automatically get notifications about new software releases and automatically install updates.

In the context of the website security test, a detailed software composition analysis is performed that includes precise software version fingerprinting. At the time of writing, the website security test is able to fingerprint 200+ web applications and more than 300.000 web application components.

WordPress

Starting from version 3.7 WordPress has a built-in feature to automatically install updates for its core.

The Official WordPress website contains a detailed manual on how to configure background updates for your website.

Recently, a new official plugin from WordPress Team was introduced to check for updates for installed plugins and themes.

Drupal

Automatic updates from Drupal are possible via the Automatic Updates module. There is a possibility to implement supervised and unattended updates to keep your CMS and its modules up to date.

Joomla!

Automatic updates for Joomla! are possible via a third-party extension “Auto Update for Joomla”. This extension allows you to track new software releases for Joomla! itself as well as for installed extensions and components.

Piwigo

Piwigo has a built-in feature to automatically install updates. The official documentation contains instructions for how to use this feature for all supported software branches.

SharePoint

Updates for Microsoft SharePoint are delivered along with Microsoft updates and are installed according to deployed update policy.

Using Secure Cookies

Cookies are often used as a way to pass security-related data from the client’s browser to the web application.

The website security test makes sure that cookies used by the application are properly configured, e.g. have all necessary security flags set: Secure, HttpOnly, SameSite.

Privacy Policy

In order to comply with GDPR requirements, your website should have a privacy policy. The policy should contain information about processing visitor’s information and have a separate page on the website.

GDPR privacy compliance

Conclusion

So as soon as you take all the measures and fix all possible weaknesses mentioned in this article you can easily rely on A or A+ score for your website security. ImmuniWeb’s website security test A+ score will be great proof that your website is secured and in compliance with the latest security and privacy requirements such as GDPR or PCI DSS.

Hope you and your website will stay safe!

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade