Hardening your web server
Serving static web pages from, eg, an Apache installation in Debian with the default settings isn’t likely to cause you any grief. But there’s always room for improvement. Let’sEncrypt ( https://letsencrypt.org) now provides free and easy to use SSL certificates so that users can browse your site safely in the knowledge that it’s indeed your website, and that the traffic is encrypted. If you’re handling sensitive data on your site, (eg personal or financial details) then you’ll probably want to pay for at least a domain-validated certificate.
But we don’t really solve problems by slapping certificates on them, we can also tweak the cipher configuration so that vulnerable or obselete encryption isn’t used. Adding following lines to the configuration will do this for Apache: SSLCompression off SSLProtocol All -SSLv2 -SSLv3 SSLCipherSuite EECDH+AESGCM:EDH+AES GCM:AES256+EECDH:AES256+EDH
This will prevent such attacks as BEAST, LOGJAM and CRIME, and also disables the obselete SSL v2 and 3. This means that anyone using the antiquated Internet Explorer 6 won’t be able to view your secure site, but that’s probably not a great concern. For more
background to the configuration, see
http://bit.ly/StrongSSLSecurityOnApache.
There are also some security headers that modern browsers will respect and which can mitigate for various attacks against your website, eg you can set: Header set X-Frame-Options: sameorigin Header set X-XSS-Protection: 1;mode=block Header set X-Content-Type-Options: nosniff
This will prevent clickjacking and XSS attacks against your site, as well as preventing the browser from trying to determine the MIME type of downloaded files, instead trusting the information supplied by the server.