Check if your web site is secure

Analyze your web site with this mozzilla link

  1. put this link in the header of your html template page :

    <meta http-equiv=“Content-Security-Policy” content=“default-src ‘self’; child-src ‘none’; object-src ‘none'”>

  2. in your php.ini file set these rows :

    session.cookie_secure = 1

    session.use_only_cookies = 1

    session.cookie_httponly = 1

  3. Enabling the X-Content-Type-Options Header#

    To enable this security header on your origin server is quite easily and can be done in just a couple steps. Depending upon which web server you’re using will determine which snippet you should add to your server’s configuration file. The following section outlines what needs to be added to both Nginx and Apache web servers.

    Nginx#

    For Nginx users, add the following snippet to your .conf file. Once done, save your changes and reload Nginx.

    add_header X-Content-Type-Options "nosniff"
    Apache#

    For Apache users, simply add the following snippet to your .htaccess file. Once done, save your changes.

    Header set X-Content-Type-Options "nosniff"

    Enabling your web server to deliver the X-Content-Type-Options header is quite simple to do.

  4. Implementation Procedure in Apache

    • Ensure you have mod_headers.so enabled in Apache HTTP server
    • Add following entry in httpd.conf
    Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
    • Restart Apache HTTP server to test

    Note: Header edit is not compatible with lower than Apache 2.2.4 version.

  5. Configuring Apache

    To configure Apache to send the X-Frame-Options header for all pages, add this to your site’s configuration:

    Header always set X-Frame-Options "sameorigin"
    

    To configure Apache to set the X-Frame-Options deny , add this to your site’s configuration:

    Header set X-Frame-Options "deny"
    

    Configuring nginx

    To configure nginx to send the X-Frame-Options header, add this either to your http, server or location configuration:

https://idp-p39.ibo.lu:8445/ssp/tab/activate-token/activateSoftTokenApplication.seam?domain=SPSCLOUD&type=STM

Leave a Reply