...
I'll create my own abridged version in the future with additional perspective of impact to web applications.
Table of Contents |
---|
Include Page | ||||
---|---|---|---|---|
|
Intermediate Hardening
These items are best practice and but may impact integrated modules. If there are any known impacts, I will document them here too.
Setup Cross-Frame Scripting Policy in Header
Control what external domains iframes can communicate to on your your website.
Risk - internally developers may introduce iframe code to subvert your website or collect sensitive data. Externally, if your application is open ton an injection attack, a malicious iframe may be placed on your website.
Possible Impact - The success of this policy is dependant have a proper inventory of external domains used by iframes.
Considerations - If the website is an application, you may want to use code to set headers instead of using the web server.
Setup CORS Policy in Header
CORS (Cross-Origin Resource Sharing) allows a domain to set policies to control if resources on the server can be access by a web page hosted on a different domain.
Risk - an overly permissive CORS can allow a malicious application leverage assets on your website leading to spoofing, data theft, relay and other attacks.
Disable Etag Header
Etag (entity tag) was introduced to help improve caching. However, besides not being very effective in an enterprise clusters environments), it also provides sensitive information like inode number, multipart MIME boundary and child processes. It allows hackers to uniquely identify a particular server.
...
- Disable etag - rely on the default Expire or Cach-Control header information.
- Minimally disable INode
... to fill out
Advanced Hardening
The advanced hardening is more likely to break your system so apply carefully one step at a time.
...