Coder Social home page Coder Social logo

benyaminsalimi / secure-headers Goto Github PK

View Code? Open in Web Editor NEW
14.0 3.0 3.0 32 KB

secure header report and best practices config for Apache, Nginx, lighttpd, Cloudflare, netlify

License: MIT License

Python 100.00%
secure-headers information-security best-practices apache2 nignx-config htaccess python-script python3 lighttpd security

secure-headers's Introduction

Secure-Headers

secure header report and best practices config for Apache, Nginx, lighttpd, Cloudflare, netlify

attention : This repository is not ready to use, im trying to get it ready my free time

Pull requests are always welcome :)

why secure header

I suggest you don't copy past config from this repo, especially if you have a custom web application our example may break your software. read these articles first

Header scanner

report script

python report.py -h #for help
python report.py -u <url> -o <Output Filename> -l <Target List Filename>
python report.py -u https://facebook.com -o FBreport # for check one site
python report.py -l input.text -o report #for list input
python report.py -l input.text -o report #for list input

best practices

how to add header to Apache, nginx, lighttpd

  • X-Frame-Options

    • apache

    Header set X-Frame-Options "DENY"

    • nginx

    add_header X-Frame-Options "DENY";

    • lighttpd

    setenv.add-response-header = ("X-Frame-Options" => "DENY",)

  • X-XSS-Protection

    • apache

    Header set X-XSS-Protection "1; mode=block"

    • nginx

    add_header X-XSS-Protection "1;mode=block";

    • lighttpd

    setenv.add-response-header = ("X-XSS-Protection" => "1; mode=block",)

  • X-Content-Type-Options

    • apache

    Header set X-Content-Type-Options "nosniff"

    • nginx

    add_header X-Content-Type-Options "nosniff";

    • lighttpd

    setenv.add-response-header = ("X-Content-Type-Options" => "nosniff",)

  • Content-Security-Policy

    Header set Content-Security-Policy "script-src 'self'; object-src 'self'"

    • nginx

    add_header Content-Security-Policy "script-src 'self'; object-src 'self'";

    • lighttpd

    setenv.add-response-header = ("Content-Security-Policy" => "script-src 'self'; object-src 'self'",)

  • Strict-Transport-Security

    Header always set Strict-Transport-Security "max-age=15768000; includeSubdomains"

    • nginx :

    add_header Strict-Transport-Security "max-age=15768000; includeSubdomains";

    • lighttpd :

    setenv.add-response-header = ("Strict-Transport-Security" => "max-age=15768000; includeSubdomains",)

  • Referrer-Policy

    • apache

    Header set Referrer-Policy "no-referrer"

    • nginx

    add_header Referrer-Policy "no-referrer";

    • lighttpd

    setenv.add-response-header = ("Referrer-Policy" => "no-referrer",)

  • Feature-Policy

    • apache

    Header set Feature-Policy "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'"

    • nginx

    add_header Feature-Policy "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'";

    • lighttpd

    setenv.add-response-header = ("Feature-Policy" => "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'",)

optional

  • Clear-Site-Data
    • apache : Edit your apache configuration file and add the following to your VirtualHost.

    Header set Clear-Site-Data "cache"

    • nginx : Add snippet below into configuration file to send X-Frame-Options header.

    add_header Clear-Site-Data "cache";

    • lighttpd : Add snippet below into configuration file to send X-Frame-Options header.

    setenv.add-response-header = ("Clear-Site-Data" => " cache ",)

best practices example config

SSL

TODO

  • add netlify.com secure headers best practice
  • add Cloudflare Workers custom headers config and best practice
  • add lighttpd and apache secure config.
  • add CVS export to report script
  • add secure header suggestions to report script
  • add web server config generation to report script
  • add simple intro document for explain secure header in human language
  • add persian document!(اگه کسی خواست)

secure-headers's People

Contributors

benyaminsalimi avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar

Forkers

vinodsharma13 swipswaps kelvinkaungkaung

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.