Scoring a Clean “A” Security Score in Your Website
The main focus of today is on existing threats affecting your company or individual website. Threats we know of and ignore and threats we don’t. Let’s now dive into it, describe, discuss and curb the threats. Grab your riding gear and let’s get started!
We will concentrate more on the Apache web server and how we can achieve our goal of fixing the existing security issues that are affecting your website security score.
Directory Listing
Did you know that anyone around the globe could easily browse the content of your directories(folders) if no index is found? Well, now you know. Anyone cross-referencing with existing known vulnerabilities could easily come into contact with the term “index of” and utilize it to get into the server and download your files.
Tip! (according to mother Google, an index is another name for the database used by a search engine. Indexes contain the information on all the websites that Google (or any other search engine) was able to find. If a website is not in a search engine’s index, users will not be able to find it.)
So, how do we disable this? Well, first, you have to log in to your cPanel and go to your public_html folder to locate your .htaccess file. Once you’ve located it, make a backup of it by right-clicking, click on the compress option and download the backup just in case something goes wrong. After doing so, now it’s time to edit out the .htaccess file by still right-clicking and choosing the edit option. After doing that, add the following line of code at the last line within the .htaccess file:
# Disabling directory listing
Options -Indexes
That’s all you have to do to disable directory listing. Cheers!
X-XSS(Cross-Site-Scripting) Protection
Malicious hackers can easily inject malicious executable scripts into the code of a trusted application or website. Attackers often initiate an XSS attack by sending malicious links to users and enticing them to click the link(s). If the app or website lacks proper data sanitization, the malicious link executes the attacker’s chosen code on the user’s system. As a result, the attacker can steal the user’s active session cookie.
Tip! (A Hacker is a person who finds and exploits the weakness in computer systems and/or networks to gain access. There are three common types of hackers, namely “White hat hackers, grey hat hackers and black hat hackers. Learn more about them to understand the differences in them), and Oh! don’t forget about the Script Kiddies :) they’re actually the worst!
So how do we protect ourselves from X-XSS injection attacks? All you have to do is add the below security header and you could be one step ahead in protecting your users:
# security headers
<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
</IfModule>X-Frame-Options
According to Mozilla developers, the X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> , <iframe> , <embed> or <object> . Sites can use this to avoid click-jacking attack(s) by ensuring that their content isn’t embedded into other sites.
To protect ourselves against this, append the below code just after Header set X-XSS-Protection… code before the closing tag(<IfModule>)
Header set X-Frame-Options "SAMEORIGIN"X-Content-Type-Options
Protects against MIME-type sniffing exploits. It does this by disabling the browser’s MIME sniffing feature, and forcing it to recognize the MIME type sent by the server.
To protect ourselves against this, append the below code just after Header set X-XSS-Frame-Options… code just before the closing tag(<IfModule>)
Header set X-Content-Type-Options "nosniff"Feature-Policy
According to OWASP, Feature Policy Header is an added layer of security that helps to restrict unauthorized access or usage of browser/client features by web resources. It provides a set of standard HTTP headers that allow website owners to limit which browsers features, can be used by the page such as camera, microphone, location, full screen &c.
Again, to protect ourselves against this, append the below code just after the Header set X-Content-Type-Options… code, just before the closing tag(<IfModule>)
Header set Feature-Policy "geolocation 'self'; vibrate 'none'"The code instructs supportive browsers to enable only geo-location and vibrate features.
Extensible Markup language Remote Procedure Call (XML-RPC)
This protocol allows remote procedure calls through data transferred in the XML format. These calls enable different platforms to communicate with websites, but sometimes it’s targeted by cybercriminals.
To Disable XML-RPC, paste the below code:
# Block xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>If you would like to retain XML-RPC from a particular IP, replace ‘xxx.xxx.xxx.xxx’ in below snippet with your IP address so as to prevent abuse from anyone else:
# Block xmlrpc.php requests and allow only a particular service
<Files xmlrpc.php>
order deny,allow
deny from all
allow from xxx.xxx.xxx.xxx
</Files>Content-Security-Policy
Commonly known as the CSP, it’s an extra security layer that helps protect against malicious injection of JavaScript, CSS, plugins, and more.
To protect ourselves against this, you append the protection as shown in the below sample code just after Header set Feature-Policy code just before the closing tag(<IfModule>)
Header set Content-Security-Policy "default-src https:; font-src https: data:; img-src https: data:; script-src https:; style-src https:;"Append the above code if your site tends to use the same types of resources to keep things clean and simple.
Full Snippet:
# security-Protection
<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-Content-Type-Options "nosniff"
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
Header set Feature-Policy "geolocation 'self'; vibrate 'none'"
</IfModule>If I’ve left out something you think we should add, feel free to let me know. Cheers! 🍻
