Web

Configure HSTS (HTTP Strict Transport Security) for Apache and Nginx

HTTP Strict Transport Security (HSTS) is a security capability to force clients to use HTTPS. In this article, we implement HSTS for Apache and Nginx.

Summary of Configure HSTS (HTTP Strict Transport Security) for Apache and Nginx

HTTP Strict Transport Security (or HSTS) is a security capability to force web clients using HTTPS. The idea behind HSTS is that clients which always should communicate as safely as possible. At achieve this, the web server and web browser will prefer the HTTPS protocol instead of HTTP. Benefits The clear benefit of “forcing” a client to use HTTPS directly, is decreasing the risk of sharing any sensitive information via a protocol which can be snooped upon.

Read the full article…

Delete a HSTS Key Pin in Chrome

Here are the steps to take on Chrome when a HSTS key pin is set on a website, but incorrect. Go to the net-internals settings to search for the domain.

Summary of Delete a HSTS Key Pin in Chrome

Delete a HSTS Key Pin in Chrome Key pinning can be tricky and sometimes you might encounter a website having an incorrect key pin. This is usually caused by renewing certificates. In that case the duration time of the key pin might overlap the expire time of the moment of renewal. Chrome Error You will be seeing an error something like: Your connection is not private Attackers might be trying to steal your information from domain.

Read the full article…

Deleting Outdated HPKP Key Pins in Firefox

HPKP Key Pins in Firefox. HPKP is a great technology to pin a certificate to a website. On first use of a domain, the browser of the client checks if key pinning is available. Upon a next visit...

Summary of Deleting Outdated HPKP Key Pins in Firefox

HPKP Key Pins in Firefox HPKP is a great technology to pin a certificate to a website. On first use of a domain, the browser of the client checks if key pinning is available. Upon a next visit, the browser applies an additional check if the certificate(s) provided is available in the previous list of white-listed sites. HPKP error Sometimes things go wrong with HPKP and you won’t be able to access a particular page.

Read the full article…

Disable SSLv3 in Lighttpd to protect against POODLE attack

Protecting against the POODLE attack with Lighttpd is easy by changing its configuration. Disable SSLv2 and SSLv3 to limit the attacks on the SSL protocol.

Summary of Disable SSLv3 in Lighttpd to protect against POODLE attack

Protecting against the POODLE attack The POODLE attack has entered the news a few times now. The issue behind the POODLE attack is serious, as it abuses a weakness in the protocol, not the implementation. This means the only proper fix is abandoning the SSLv3 protocol and use the newer TLS protocols. Disable SSLv2 and SSLv3 Lighttpd commonly has its configuration settings stored in /etc/lighttpd/lighttpd.conf. Open this file and add the following two statements, to disable both protocols:

Read the full article…

Hardening WordPress Security and Reduce Information Disclosure

WordPress installations are easy to be hacked if they disclose too much information, like version numbers. Hardening your installation can help to reduce this risk.

Summary of Hardening WordPress Security and Reduce Information Disclosure

For years, WordPress is used as a platform for blogging. Last years, more and more companies have even built their website in WordPress. Unfortunately, this also means it is more often targetted by scripts, searching for their next victim. The primary reasons for a WordPress hack, are often disclosed information and outdated software components. This is applicable to the WordPress version itself and modules, like the plugins. In this article, we have a look at dealing with unwanted information disclosure, and how we can reduce revealing too much.

Read the full article…

Hiding the nginx version number

Security professionals usually don't advise to use "security through obscurity". Still, it's wise to hide the nginx version number.

Summary of Hiding the nginx version number

If you care about security, making your system “lean” is one very good start. Remove all clutter, like unused packages. It is part of system hardening and considered a good practice. This also applies to leaking of version numbers, which can only be harmful. Yes.. it is security through obscurity. But why would you reveal specific details about your environment to attackers? In this article we have a look at the very popular Nginx web server daemon.

Read the full article…

How the web changes with HTTP/2: Performance and Security

The web changes and so does one of the most important underlying protocols HTTP. Learn about HTTP/2 and what it means for performance and security.

Summary of How the web changes with HTTP/2: Performance and Security

On invitation by the Dutch consultancy firm Snow, I attended their Snow Unix Event (SUE). It was the third time in a row, with again an impressive lineup of speakers. As I worked previously for the company, I expected no less than that. The theme was about knowledge sharing. That sounds like an invitation to also share some of the biggest insights I learned. Let’s start with the HTTP/2 insights by Daniel Stenberg.

Read the full article…

How to block POST requests in nginx

Want to block all HTTP POST requests in nginx? There are multiple ways to achieve this and within this article we look at the best fit.

Summary of How to block POST requests in nginx

Why block POST requests in the first place? Some websites or resources don’t need POST requests, such as a statically generated website. It looks like POST requests also take some CPU time within nginx to process them compared with static files. This becomes visible when using the $request_time variable to customize the access log. 2024-04-02T10:14:39+00:00 404 a.b.c.d “POST /xmlrpc.php HTTP/1.1” 562 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.

Read the full article…

How to log only some requests to a log file in nginx

Nginx is flexible when it comes to what should be logged in the access.log. With the combination of a map and if-statement, this can be achieved very easily!

Summary of How to log only some requests to a log file in nginx

Nginx is flexible when it comes to what should be logged in the access.log. With the combination of a map and if-statement, this can be achieved very easily!" Log only some events by HTTP status Creating a map using $status The $status variable contains the HTTP status code that is normally returned to each request. We can leverage this status code to set a so-called boolean (true/false, or 1/0). Let’s define first the map and use the HTTP status.

Read the full article…

How to see all virtual hosts in nginx

Want to see all configured virtual hosts on a server running nginx? Here is a method to achieve this quickly by using a default configuration option.

Summary of How to see all virtual hosts in nginx

How to display the configured hosts by filtering out the server_name entries

How to test if a website supports Brotli or Gzip compression

Optimizing a web server and its content can be done using brotli and gzip compression. This article shows a few ways to test if everything is working as expected.

Summary of How to test if a website supports Brotli or Gzip compression

After migrating this blog to Hugo we performed some optimization steps to ensure it is as quick as possible. Pages are slim and small in size, but still can be compressed. Normally we would do this on the end of the web server, by enabling dynamic compression. So each time a client requested a compressed page, the web server would compress is and send over the data. This time we turned things around.

Read the full article…

Optimize SSL/TLS for Maximum Security and Speed

Everyone loves secure websites, as long as they are quick. Let's configure our website for maximum security and performance, at the same time.

Summary of Optimize SSL/TLS for Maximum Security and Speed

High Goal Setting Recently we changed our corporate website into a “HTTPS only” version. Most of the content is not secret information, still we have some sensitive areas. The ordering section and downloads, and additional our portal. While some areas were already covered with a lock, we felt it was time to make the jump to cover it all. Additionally, we believe that we doing everything we can on our website, practicing security hardening ourselves.

Read the full article…

Pre-compress static assets with Brotli and Gzip

Let's make the web a smaller place by pre-compressing static assets with Brotli and Gzip. Here are some useful tips to get started.

Summary of Pre-compress static assets with Brotli and Gzip

Gzip Gzip is well-known and around for some time. Almost all web clients support it and the savings are typically very high. Compressing a file with gzip is simple, especially with the command often already installed on Linux systems. gzip --best --force filename.html This compresses the file as good as it can (–best) and overwrite a .gz file if it already exists (–force). Brotli Brotli is a fairly new kid on the block when it comes to compressing files.

Read the full article…

Protecting the browser: Web of Trust

Systems running Linux might be a safe option, yet web browsers and the user will always be under attack from malicious scripts. Web of Trust (WOT) helps to counter common attacks like spam, scam.

Summary of Protecting the browser: Web of Trust

Important Note This is an older blog post and we no longer advise using Web of Trust. See pcmag for more details. Protecting the web browser Usually we focus on the blog on the server side of things, helping to protect the data of users, customers and ourselves. What we commonly overlook is the end of the connection, the web browser of the user. In the upcoming posts we will look at alternative measures we can take, to protect data there as well.

Read the full article…

Quick Tip: Disable Adobe Flash Player in Chrome

The end of Adobe's Flash Player is near. Learn how to disable it within the Chrome browser, so it no longer can be used.

Summary of Quick Tip: Disable Adobe Flash Player in Chrome

The end of Adobe’s Flash Player is near. Most of the remaining Flash on the web are advertisements or “fancy” movies, created years ago. If you don’t need Flash any longer, these steps help you to disable it in Chrome. Step 1: Open plugins Go to chrome://plugins This will show an overview of all your plugins. Step 2: Disable Abode Flash Player Press Disable on the Adobe Flash Player. Adobe Flash Player is disabled

Read the full article…

RSS is cool! Some RSS feed readers are not (yet)...

Even after years, RSS is still being used by many. With more RSS clients to choose from, we discovered that not all of them behave like a good bot. Here is what we learned.

Summary of RSS is cool! Some RSS feed readers are not (yet)...

Fresh look at RSS after a migration This blog had a RSS feed since its inception about 10 years ago. It was (and is) an easy way for readers to quickly discover released and updated articles. Although a lot has changed in 10 years, including a migration from WordPress to Hugo, the RSS feed is still available. Recently, as part of the migration, we looked again at all individual layers that makes this blog possible.

Read the full article…

Securing nginx configurations: implementing OCSP stapling

OCSP stapling is a logical follow-up on Online Certificate Status Protocol. With newer versions of Nginx we can enable OCSP stapling and enable testing.

Summary of Securing nginx configurations: implementing OCSP stapling

OCSP stapling is a logical follow-up on Online Certificate Status Protocol. OCSP itselfs just checks if certificate is still valid by determining if it is on a revocation list. The original OCSP protocol forces the client to check for the status of a certificate. This results in a lot of traffic for the CA behind the certificate. OCSP stapling moves the check to the owner of the certificate. On a regular basis the Nginx server will perform the check, receiving a new OCSP response.

Read the full article…

Web

All articles and tips to create a better website or optimize your webserver configuration. Let's build a better web together!

Summary of Web

To improve websites and the underlying webserver configuration, we collect useful tips to enhance your systems. Let’s build a better web together!