-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathStep3g-Lock.html
118 lines (118 loc) · 10.4 KB
/
Step3g-Lock.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
<!doctype html>
<html lang="en" prefix="og: http://ogp.me/ns#">
<head>
<!-- Required meta tags -->
<meta charset="utf-8">
<meta name="description" content="Securing Apache - Fedora/RedHat Step 3g - Content Security Policies" />
<meta name="keywords" content="Apache, Security, SSL, TLS, Certificate, Fedora, RedHat, SUSE, CentOS, Elliptical Curves, RSA, Encryption, Content Security Policies, CSP, Policies, CSS, HTTPS, HTTP, Security Headers" />
<meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=yes" />
<meta name="author" content="Kevin Dziekonski" />
<meta name="generator" content="The Dead's Script O' Rama" />
<meta name="application-name" content="Zombie Security" />
<meta http-equiv="Content-Type" content="text/html" />
<meta name="robots" content="index, follow" />
<meta name="googlebot" content="index, follow" />
<meta name="copyright" content="Zombie materials are subject to copyrights" />
<meta property="og:title" content="Free Best Practice Security Guides" />
<meta property="og:image" content="https://zombiesecured.com/images/ZTwitter.jpg" />
<meta property="og:image:secure_url" content="https://zombiesecured.com/images/ZTwitter.jpg" />
<meta property="og:image:type" content="image/jpg" />
<meta property="og:image:alt" content="Zombie Security – Free Best Practice Security Guides" />
<meta property="og:type" content="website" />
<meta property="og:url" content="https://zombiesecured.com" />
<meta property="og:description" content="Best Practices - Network Access Management (NAM), Privileged Access Management (PAM), Multi-Factor Authentication (MFA), Identity Access Management (IAM), Identity Governance (IG), Apache & Tomcat?" />
<meta property="og:site_name" content="Zombie Secured" />
<meta property="twitter:card" content="summary" />
<meta property="twitter:site" content="https://zombiesecured.com " />
<meta property="twitter:site.id" content="@zombiesecured" />
<meta property="twitter:creator" content="@kevindziekonski" />
<meta property="twitter:description" content="Best Practices - Network Access Management (NAM), Privileged Access Management (PAM), Multi-Factor Authentication (MFA), Identity Access Management (IAM), Identity Governance (IG), Apache & Tomcat?" />
<meta property="twitter:title" content="Zombiesecured Free Educational Best Practices Security Guides" />
<meta property="twitter:image" content="https://zombiesecured.com/images/ZTwitter.jpg" />
<meta property="twitter:image.alt" content="Free security education and best practices - Network Access Management (NAM), Privileged Access Management (PAM), Multi-Factor Authentication (MFA), Identity Access Management (IAM), Identity Governance (IG), Apache & Tomcat?" />
<meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" />
<meta name="msapplication-TileColor" content="#D83434" />
<meta name="msapplication-TileImage" content="https://zombiesecured.com/images/favicon.jpg" />
<meta name="apple-mobile-web-app-capable" content="yes">
<meta name="apple-touch-fullscreen" content="yes">
<link rel="apple-touch-icon" href="https://zombiesecured.com/images/favicon.png" />
<link rel="canonical" href="https://zombiesecured.com/" />
<title>Step3g - Content Security Policy (Fedora/Redhat)</title>
</head>
<body>
<div class="container-fluid">
<!-- Add the common header to display the main menu. -->
<div id="header"></div>
<div class="row">
<!-- This section is the side menu section -->
<div class="col-md-2">
<div id="apacheFedoraSideMenu"></div>
</div>
<!-- This section is the content section -->
<div class="col-md-10">
<div class="card border-dark mb-3 mt-3">
<div class="card-header d-flex align-items-center justify-content-center">
<!-- This is the content header start. Add text here for the content banner text. -->
<h4>Securing Apache - Fedora/CentOS/SUSE/RedHat</h4>
</div>
<div class="card-body">
<!-- This section is the content section. Add the bulk HTML here -->
<h3>Step 3g - Content Security Policies (CSP) - </u><span class="red">Highly Highly Recommended!!</span></h3>
<p class="card-text">Content security policies are enacted by most of the larger content providers to minimize the amount of reloading of information. When if fact, it really is a great security measure to ensure that only our site is providing clients with content from our own sources and not someone else injecting code, malware and a vast array of other possibilities to perform against a site/server/client. It should be noted that less than one percent (1%) of the Internet has such policies and makes it easy to put my own source code in the middle of a communication stream. It is not mandatory since there are situations in which you do not wish to use CSP's at the server level. Unless you are an admin that understands those methods and implementations, use this procedure until you move the CSP to another area.</p>
<p class="card-text"><a href="https://scotthelme.co.uk/" title="Scott Helme" target="_blank">Scott Helme</a> developed some nifty tools to help you <a href="https://report-uri.io/home/generate" title="Generate a Content Secuirty Policy" target="_blank">generate a policy</a>, <a href="https://report-uri.io/home/analyse" title="Anaylse your Content Secuirty Policy" target="_blank">analyses your policy</a> or <a href="https://report-uri.io/home/hash" title="Generate a hash of JS or CSS " target="_blank">generate a hash of JS or CSS </a>for your CSP </p>
<h4>Change the HTTPS Web site config file <span class="blue"><--Add the sections in blue to the file</span></h4>
<pre>nano /etc/httpd/conf.d/EXAMPLE_com_ssl.conf</pre>
<p class="card-text"><IfModule mod_ssl.c><br>
<VirtualHost *:443><br>
..............................<br>
<IfModule mod_headers.c><br>
Header unset ETag<br>
FileETag None<br>
Header unset Server<br>
Header always set X-Content-Type-Options "nosniff"<br>
Header always set X-XSS-Protection "1; mode=block"<br>
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure<br>
Header set X-Content-Security-Policy "allow 'self';"<br>
Header set X-Frame-Options DENY<br>
Header set Cache-Control:public, max-age=31536000<br>
Header always set Strict-Transport-Security: "max-age=31536000; includeSubDomains; preload"<br>
Header set MyHeader "Feel safe zombiesecured headers in use!!! It took %D microseconds for Zombiesecured to serve this request on %t"<br>
Header set Public-Key-Pins "pin-sha256=\"Hash of Pin 1\"; pin-sha256=\"Hash of Pin 2\"; includeSubDomains; report-uri="https://report.EXAMPLE.com"; max-age=1111"<br>
<span class="blue">Header always set Content-Security-Policy: ""</span> <span class="red"> <--- Put your policy parameters between to the quotes</span> - remove any redundancies <br>
</IfModule><br>
</VirtualHost><br>
</IfModule><br>
<br>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet<br>
<br></p>
<h4>Close and exit the file</h4>
<kbd>ctrl</kbd><strong> + </strong><kbd>o</kbd> (Save)<br />
<kbd>ctrl</kbd><strong> + </strong><kbd>x</kbd> (Exit)<br />
<h4 class="mt-3">Restart Apache</h4>
<pre>systemctl restart httpd</pre>
<p class="card-text"><span class="green"><b>Zombie Secured Headers in use:</b></span></p>
<br>
<pre>Header always set Content-Security-Policy: "script-src 'self' https://cdnjs.cloudflare.com https://stackpath.bootstrapcdn.com https://code.jquery.com; style-src 'self' https://stackpath.bootstrapcdn.com https://use.fontawesome.com; img-src 'self'; font-src 'self' https://use.fontawesome.com; connect-src 'self'; media-src 'self'; object-src 'self'; worker-src 'none'; frame-ancestors 'none'; form-action 'self'" </pre>
<p class="card-text"><span class="green"><b>Zombie Secured CSP test results</b></span><br>
<img src="/images/Apache/Zombie_content.png" alt="https://report-uri.io/home/analyse" longdesc="https://report-uri.io/home/analyse"> </p>
</div>
<!-- This is the end of the bulk content section. -->
<div class="card-footer text-secondary">
<!-- This is the card footer where the next/previous links and arrows go. The links will need to be updated for every page. -->
<a class="text-secondary float-left" href="Step3f-Lock.html"><i class="fa fa-arrow-left fa-2x"></i> PREVIOUS </a>
<!--<a class="text-secondary float-right" href="Step3g-Lock.html">NEXT <i class="fa fa-arrow-right fa-2x"></i></a> -->
</div>
</div>
</div>
</div>
</div>
<!-- Add the common footer. -->
<div id="footer"></div>
<!-- Optional JavaScript -->
<!-- jQuery first, then Popper.js, then Bootstrap JS -->
<script src="https://code.jquery.com/jquery-3.3.1.min.js" integrity="sha384-tsQFqpEReu7ZLhBV2VZlAu7zcOV+rXbYlF2cqB8txI/8aZajjp4Bqd+V6D5IgvKT" crossorigin="anonymous"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.7/umd/popper.min.js" integrity="sha384-UO2eT0CpHqdSJQ6hJty5KVphtPhzWj9WO1clHTMGa3JDZwrnQq4sF86dIHNDz0W1" crossorigin="anonymous"></script>
<script src="https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/js/bootstrap.min.js" integrity="sha384-JjSmVgyd0p3pXB1rRibZUAYoIIy6OrQ6VrjIEaFf/nJGzIxFDsf4x0xIM+B07jRM" crossorigin="anonymous"></script>
<script src="/js/zombie.js"></script>
</body>
</html>