Month: May 2020

Do you know most of the security vulnerabilities can be fixed by implementing necessary headers in the response header?

Security is as essential as content and SEO of your website, and thousands of websites get hacked due to misconfiguration or lack of protection. If you are a website owner or security engineer and looking to protect your website from Clickjacking, code injection, MIME types, XSS, etc. attacks then this guide will help you.

In this article, I will talk about various HTTP Headers to implement in multiple web servers, network edge & CDN providers for better website protection.

Notes:

  • You are advised to take a backup of configuration file prior making changes
  • Some of the headers may not be supported on all the browsers, so check out the compatibility before the implementation.
  • Mod_headers must be enabled in Apache to implement these headers. Ensure the following line uncommented in httpd.conf file.
LoadModule headers_module modules/mod_headers.soCopy

Using WordPress?: you may want to try using HTTP Headers plugin, which takes care of these headers and a lot more.

Secure HTTP Headers

X-XSS-Protection

X-XSS-Protection header can prevent some level of XSS (cross-site-scripting) attacks, and this is compatible with IE 8+, Chrome, Opera, Safari & Android.

Google, Facebook, Github use this header, and most of the penetration testing consultancy will ask you to implement this.

There are four possible ways you can configure this header.

Parameter ValueMeaning
0XSS filter disabled
1XSS filter enabled and sanitized the page if attack detected
1;mode=blockXSS filter enabled and prevented rendering the page if attack detected
1;report=http://example.com/report_URIXSS filter enabled and reported the violation if attack detected

Let’s implement 1;mode=block in the following web servers.

Apache HTTP Server

Add the following entry in httpd.conf of your Apache webserver

Header set X-XSS-Protection "1; mode=block"

Restart the apache to verify

Nginx

Add the following in nginx.conf under http block

add_header X-XSS-Protection "1; mode=block";

Nginx restart is needed to get this reflected on your web page response header.

MaxCDN

If you are using MaxCDN, then adding header is easy and on-the-fly.

Go to Edge Rules >> click “New Rule” and select “Add X-XSS-Protection Header” from the drop-down.

edgerules

Microsoft IIS

  • Open IIS Manager
  • Select the Site you need to enable the header for
  • Go to “HTTP Response Headers.”
  • Click “Add” under actions
  • Enter name, value and click Ok
iis-x-xss-protection
  • Restart IIS to see the results

HTTP Strict Transport Security

HSTS (HTTP Strict Transport Security) header to ensure all communication from a browser is sent over HTTPS (HTTP Secure). This prevents HTTPS click through prompts and redirects HTTP requests to HTTPS.

Before implementing this header, you must ensure all your website page is accessible over HTTPS else they will be blocked.

HSTS header is supported on all the major latest version of a browser like IE, Firefox, Opera, Safari, and Chrome. There are three parameters configuration.

Parameter ValueMeaning
max-ageDuration (in seconds) to tell a browser that requests are available only over HTTPS.
includeSubDomainsThe configuration is valid for the subdomain as well.
preloadUse if you would like your domain to be included in the HSTS preload list

So let’s take an example of having HSTS configured for one year, including preload for domain and sub-domain.

Apache HTTP Server

You can implement HSTS in Apache by adding the following entry in httpd.conf file

Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

Restart apache to see the results

Nginx

To configure HSTS in Nginx, add the next entry in nginx.conf under server (SSL) directive

add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';

As usual, you will need to restart Nginx to verify

Cloudflare

If you are using Cloudflare, then you can enable HSTS in just a few clicks.

  • Log in to Cloudflare and select the site
  • Go to the “Crypto” tab and click “Enable HSTS.”
cloudflare-hsts-config

Select the settings the one you need, and changes will be applied on the fly.

Microsoft IIS

Launch the IIS Manager and add the header by going to “HTTP Response Headers” for the respective site.

iis-hsts

Restart the site

X-Frame-Options

Use the X-Frame-Options header to prevent Clickjacking vulnerability on your website. By implementing this header, you instruct the browser not to embed your web page in frame/iframe. This has some limitations in browser support, so you got to check before implementing it.

You can configure the following three parameters.

Parameter ValueMeaning
SAMEORIGINFrame/iframe of content is only allowed from the same site origin.
DENYPrevent any domain to embed your content using frame/iframe.
ALLOW-FROMAllow framing the content only on a particular URI.

Let’s take a look at how to implement “DENY” so no domain embeds the web page.

Apache

Add the following line in httpd.conf and restart the webserver to verify the results.

Header always append X-Frame-Options DENY

Nginx

Add the following in nginx.conf under server directive/block.

add_header X-Frame-Options “DENY”;

Restart to verify the results

F5 LTM

Create an iRule with the following and associated with the respective virtual server.

when HTTP_RESPONSE {

HTTP::header insert "X-FRAME-OPTIONS" "DENY"

}

You don’t need to restart anything, changes are reflected in the air.

WordPress

You can get this header implemented through WordPress too. Add the following in a wp-config.php file

header('X-Frame-Options: DENY);

If you are not comfortable editing the file, then you can use a plugin as explained here or mentioned above.

Microsoft IIS

Add the header by going to “HTTP Response Headers” for the respective site.

iis-x-frame-options

Restart the site to see the results.

X-Content-Type-Options

Prevent MIME types security risk by adding this header to your web page’s HTTP response. Having this header instruct browser to consider files types as defined and disallow content sniffing. There is only one parameter you got to add “nosniff”.

Let’s see how to advertise this header.

Apache

You can do this by adding the below line in httpd.conf file

Header set X-Content-Type-Options nosniff

Don’t forget to restart the Apache webserver to get the configuration active.

Nginx

Add the following line in nginx.conf file under server block.

add_header X-Content-Type-Options nosniff;

As usual, you got to restart the Nginx to check the results.

Microsoft IIS

Open IIS and go to HTTP Response Headers

Click on Add and enter the Name and Value

iis-mime-types

Click OK and restart the IIS to verify the results.

HTTP Public Key Pinning

Minimize the man-in-the-middle (MITM) attacks risk by pinning certificate. This is possible with HPKP (HTTP Public Key Pinning) header.

You can pin the root certificate public key or immediate certificate. At the time of writing, HPKP currently works in Firefox and Chrome and support SHA-256 hash algorithm.

There are four possible parameter configurations.

Parameter ValueMeaning
report-uri=”url”Report to the specified URL if pin validation fails. This is optional.
pin-sha256=”sha256key”Specify the pins here
max-age=Browser to remember the time in seconds that site is accessible only using one of the pinned keys.
IncludeSubDomainsThis is applicable to a subdomain as well.

Let’s see HPKP header example from facebook.com

public-key-pins-report-only:max-age=500; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E="; pin-sha256="q4PO2G2cbkZhZ82+JgmRUyGMoAeozA+BSXVXQWB8XWQ="; report-uri=http://reports.fb.com/hpkp/Copy

If this is something you need to implement on your website, then head to the implementation guide written by Scott Helme.

Content Security Policy

Prevent XSS, clickjacking, code injection attacks by implementing the Content Security Policy (CSP) header in your web page HTTP response. CSP instruct browser to load allowed content to load on the website.

All browsers don’t support CSP, so you got to verify before implementing it. There are three ways you can achieve CSP headers.

  1. Content-Security-Policy – Level 2/1.0
  2. X-Content-Security-Policy – Deprecated
  3. X-Webkit-CSP – Deprecated

If you are still using deprecated one, then you may consider upgrading to the latest one.

There are multiple parameters possible to implement CSP, and you can refer to OWASP for an idea. However, let’s go through the two most used parameters.

Parameter ValueMeaning
default-srcLoad everything from a defined source
script-srcLoad only scripts from a defined source

The following example of loading everything from the same origin in various web servers.

Apache

Get the following added in httpd.conf file and restart the webserver to get effective.

Header set Content-Security-Policy "default-src 'self';"

Nginx

Add the following in the server block in nginx.conf file

add_header Content-Security-Policy "default-src 'self';";

Microsoft IIS

Go to HTTP Response Headers for your respective site in IIS Manager and add the following

iis-csp

X-Permitted-Cross-Domain-Policies

Using Adobe products like PDF, Flash, etc.? You can implement this header to instruct the browser how to handle the requests over a cross-domain. By implementing this header, you restrict loading your site’s assets from other domains to avoid resource abuse.

There are a few options available.

ValueDescription
noneno policy is allowed
master-onlyallow only the master policy
alleverything is allowed
by-content-onlyAllow only a certain type of content. Example – XML
by-ftp-onlyapplicable only for an FTP server

Apache

If you don’t want to allow any policy.

Header set X-Permitted-Cross-Domain-Policies "none"Copy

You should see the header like the following.

Nginx

And, let’s say you need to implement master-only then add the following in nginx.conf under server block.

add_header X-Permitted-Cross-Domain-Policies master-only;Copy

And the result.

Referrer-Policy

Looking to control the referrer-policy of your site? There are certain privacy and security benefits. However, not all the options are supported by all the browsers, so review your requirements before the implementation.

Referrer-Policy supports the following syntax.

ValueDescription
no-referrerReferrer information will not be sent with the request.
no-referrer-when-downgradeThe default setting where referrer is sent to the same protocol as HTTP to HTTP, HTTPS to HTTPS.
unsafe-urlfull URL will be sent with the request.
same-originReferrer will be sent only for same origin site.
strict-originsend only when a protocol is HTTPS
strict-origin-when-cross-originthe full URL will be sent over a strict protocol like HTTPS
originsend the origin URL in all the requests
origin-when-cross-originsend FULL URL on the same origin. However, send only origin URL in other cases.

Apache

You can add the following if you want to set no-referrer.

Header set Referrer-Policy "no-referrer"Copy

And after the restart, you should have in the response headers.

Nginx

Let’s say you need to implement same-origin, so you got to add the following.

add_header Referrer-Policy same-origin;Copy

Once configured, you should have the results below.

Expect-CT

A new header still in experimental status is to instruct the browser to validate the connection with web servers for certificate transparency (CT). This project by Google aims to fix some of the flaws in the SSL/TLS certificate system.

The following three variables are available for Expect-CT header.

ValueDescription
max-ageIn seconds, for how long the browser should cache the policy.
enforceAn optional directive to enforce the policy.
report-uriBrowser to send a report to the specified URL when valid certificate transparency not received.

Apache

Let’s assume you want to enforce this policy, report, and cache for 12 hours then you got to add the following.

Header set Expect-CT 'enforce, max-age=43200, report-uri="https://somedomain.com/report"'Copy

And, here is the result.

Nginx

What if you want to report and cache for 1 hour?

add_header Expect-CT 'max-age=60, report-uri="https://mydomain.com/report"';Copy

The output would be.

Feature-Policy

Control browser’s features such as geolocation, fullscreen, speaker, USB, autoplay, speaker, vibrate, microphone, payment, vr, etc. to enable or disable within a web application.

Apache

Let’s say you need to disable the fullscreen feature, and to do so, you can add the following in httpd.conf or apache2.conf.

Header always set Feature-Policy "fullscreen 'none' "Copy

How about adding multiple features in a single line?

That’s possible too!

Header always set Feature-Policy "fullscreen 'none'; microphone 'none'"Copy

Restart Apache HTTP to see the result.

The above code will instruct the browser to disable fullscreen and microphone.

Nginx

Let’s take another example – disable vibrate feature.

add_header Feature-Policy "vibrate 'none';";Copy

Or, disable geolocation, camera, and speaker.

add_header Feature-Policy "geolocation 'none'; camera 'none'; speaker 'none';";Copy

Here is the output after restarting Nginx.

All the Nginx configuration goes under http block in nginx.conf or any custom file you use.

Conclusion

Securing a website is challenging, and I hope by implementing the above headers, you add a layer of security. If you are running a business site, then you may also consider using cloud-WAF like SUCURI to protect your online business. The good thing about SUCURI is it offers security and performance, both.

ionCube is a commercial software suite consisting of a PHP encoder, package foundry, bundler, a real time site intrusion detection and error reporting application as well as a loader.

PHP encoder is an application for PHP software protection: used to secure, encrypt and license PHP source code. ionCube loader is an extension used to load PHP files protected and encoded using PHP encoder. It is mostly used in commercial software applications to protect their source code and prevent it from being visible.

Read Also: How to Install ionCube Loader in Debian and Ubuntu

In this article, we will show how to install and configure ionCube Loader with PHP in CentOS 7 and RHEL 7 distributions.

Prerequisites:

Your server must have a running web server (Apache or Nginx) with PHP installed. If you don’t have a web server and PHP on your system, you can install them using yum package manager as shown.

Step 1: Install Apache or Nginx Web Server with PHP

1. If you already have a running web server Apache or Nginx with PHP installed on your system, you can jump to the Step 2, otherwise use the following yum command to install them.

-------------------- Install Apache with PHP --------------------
# yum install httpd php php-cli	php-mysql

-------------------- Install Nginx with PHP -------------------- 
# yum install nginx php php-fpm php-cli	php-mysql

2. After installing Apache or Nginx with PHP on your system, start the web server and make sure to enable it to auto start at system boot time using following commands.

-------------------- Start Apache Web Server --------------------
# systemctl start httpd
# systemctl enable httpd

-------------------- Start Nginx + PHP-FPM Server --------------------
# systemctl start nginx
# systemctl enable nginx
# systemctl start php-fpm
# systemctl enable php-fpm

Step 2: Download IonCube Loader

3. Go to the inocube’s website and download the installation files, but before that first you need to check whether your system is running on 64-bit or 32-bit architecture using the following command.

# uname -a

Linux tecmint.com 4.15.0-1.el7.elrepo.x86_64 #1 SMP Sun Jan 28 20:45:20 EST 2018 x86_64 x86_64 x86_64 GNU/Linux

The above output clearly shows that the system is running on 64-bit architecture.

As per your Linux system architecture type download the ioncube loader files into /tmp directory using following wget command.

-------------------- For 64-bit System --------------------
# cd /tmp
# wget https://downloads.ioncube.com/loader_downloads/ioncube_loaders_lin_x86-64.tar.gz

-------------------- For 32-bit System --------------------
# cd /tmp
# wget https://downloads.ioncube.com/loader_downloads/ioncube_loaders_lin_x86.tar.gz

4. Then unzip the downloaded file using the tar command and move into the decompressed folder. Then run the ls command to list the numerous ioncube loader files for different PHP versions.

# tar -zxvf ioncube_loaders_lin_x86*
# cd ioncube/
$ ls -l

Ioncube Loader Files

Step 3: Install ionCube Loader for PHP

5. There will be different ioncube loader files for various PHP versions, you need to select the right ioncube loader for your installed PHP version on your server. To know the php version installed on your server, run the command.

# php -v

Verify PHP Version

The above output clearly shows that the system is using PHP 5.4.16 version, in your case it should be different version.

6. Next, find the location of the extension directory for PHP version 5.4, it is where the ioncube loader file will be installed. From the output of this command, the directory is /usr/lib64/php/modules.

# php -i | grep extension_dir

extension_dir => /usr/lib64/php/modules => /usr/lib64/php/modules

7. Next we need to copy ioncube loader for our PHP 5.4 version to the extension directory (/usr/lib64/php/modules).

# cp /tmp/ioncube/ioncube_loader_lin_5.4.so /usr/lib64/php/modules

Note: Make sure to replace the PHP version and extension directory in the above command according to your system configuration.

Step 4: Configure ionCube Loader for PHP

8. Now we need to configure ioncube loader to work with PHP, in the php.ini file.

# vim /etc/php.ini

Then add below line as the first line in the php.ini file.

zend_extension = /usr/lib64/php/modules/ioncube_loader_lin_5.4.so

Enable ionCube Loader in PHP

Note: Make sure to replace the extension directory and PHP version in the above command according to your system configuration.

9. Then save and exit the file. Now we need to restart the Apache or Nginx web server for the ioncube loaders to come into effect.

-------------------- Start Apache Web Server --------------------
# systemctl restart httpd

-------------------- Start Nginx + PHP-FPM Server --------------------
# systemctl restart nginx
# systemctl restart php-fpm

Step 5: Test ionCube Loader

10. To test if ionCube loader is now installed and properly configured on your server, check your PHP version once more. You should be able to see a message indicating that PHP is installed and configured with the ioncube loader extension (status should be enabled), as shown in the following screenshot.

# php -v

Test ionCuber Loader

The above output confirms that the PHP is now loaded and enabled with ioncube loader.

ionCube loader is a PHP extension for loading files secured and encoded with PHP encoder. We hope that everything worked on fine while following this guide, otherwise, use the feedback form below to send us your queries.

What is a WHOIS Database?

The WHOIS database contains the listing of all registered domains on the internet. You can do a WHOIS lookup to access various details related to a domain like registration date, expiry date, domain ID, name of registrar, contact information, server name and more. The WHOIS database is available to the public and anyone can access the details of a registered domain. The database is maintained by the Internet Corporation for Assigned Names and Numbers (ICANN) and updated regularly. If you create a website, you will also have to register yourself with ICANN.

What is WHOIS Privacy?

When you register a domain name, you have to provide personal information such as name, address, phone number and email. The information is stored in the WHOIS database and anyone can find it using a WHOIS domain lookup.

WHOIS Privacy is a privacy service offered by Hostinger to secure the privacy of the domain owners. When you go for WHOIS Privacy, your personal details are masked or replaced with the details of a proxy server to maintain privacy.

How to Use WHOIS Lookup?

Performing a WHOIS search is easy and quick. Just enter the name of the domain or IP address in the search box and hit “Look Up.” Our tool will search the WHOIS database and provide all information including domain name registration records within seconds.

Be sure not to use the information for marketing or spam as it’s prohibited by the ICANN.

How to Update WHOIS Information?

You should always keep your WHOIS information updated to comply with ICANN rules. That means providing accurate contact information through which you can receive correspondence from your provider.

You can update your WHOIS information easily by using the Hostinger control panel. It just takes a few steps and you can update your information all at once if you want. You will need to log into your Hostinger account and then access the control panel to update WHOIS information.

Why are Some Entries Hidden?

Remember the WHOIS Privacy feature we talked about? That is the reason why some entries in WHOIS search is hidden from your view. The registrars of the domains have applied for WHOIS Privacy, so the domain provider has hidden their contact information.

Some information can also be hidden by domain providers following the local data protection and privacy laws such as GDPR.

How can I Hide WHOIS Information?

You can use WHOIS Privacy to hide your personal information in the WHOIS database. If someone searches for your domain, then they will not be able to see your contact information.
To hide your WHOIS information, you need to login to Hostinger and then navigate to Members Area. Now click on Domain located at the top of the screen and choose one of the Order buttons. Now you will be redirected to the payment page where you can choose your payment method for availing WHOIS Privacy.

Do remember that some WHOIS listings take time to update the changes. So someone may see your details before it becomes hidden.

Often time, you may need to know which file contains large file size, and delete it to save space. Here’s a code pattern to show you how to find large file size on Linux :

find {directory} -type f -size +100000k -exec ls -lh {} \; | awk '{ print $9 ": " $5 }'

1. File size >= 100MB

Find all files that have a size >= 100MB, from root folder and its sub-directories.

sudo find / -type f -size +100000k -exec ls -lh {} \; | awk '{ print $9 ": " $5 }'

Result

/Applications/Diablo: 2.3G
/Applications/Diablo: 203M
/Applications/Diablo: 978M
/Applications/Diablo: 1.4G
/Applications/Diablo: 1.3G
/Applications/Diablo: 1.5G
/Applications/iPhoto.app/Contents/Resources/PointOfInterest.db: 242M

2. File size >= 50MB

Find all files that have a size >= 50MB, from folder ‘/Users/mkyong’ and its sub-directories.

find /User/mkyong -type f -size +100000k -exec ls -lh {} \; | awk '{ print $9 ": " $5 }'

Result

/Users/mkyong/Downloads/command_line_tools_for_xcode_june_2012.dmg: 147M
/Users/mkyong/Downloads/ubuntu-12.04-desktop-i386.iso: 701M
/Users/mkyong/Downloads/X15-65805.iso: 3.0G
/Users/mkyong/Library/Preferences/com.google.code.sequel-pro.plist: 104M

About the TLS Extension Server Name Indication (SNI)

When website administrators and IT personnel are restricted to use a single SSL Certificate per socket (combination of IP Address and socket) it can cost a lot of money. This restriction causes them to buy multiple IP addresses for regular https websites from their domain host or buy hardware that allows them to utilize multiple network adapters.

However, with Apache v2.2.12 and OpenSSL v0.9.8j and later you can use a transport layer security (TLS) called SNI. SNI can secure multiple Apache sites using a single SSL Certificate and use multiple SSL Certificates to secure various websites on a single domain (e.g. www.yourdomain.com, site2.yourdomain.com) or across multiple domains (www.domain1.com, www.domain2.com)—all from a single IP address. The benefits of using SNI are obvious—you can secure more websites without purchasing more IP addresses or additional hardware.

Since this is a fairly recent update with Apache, browsers are only recently supporting SNI. Most current major desktop and mobile browsers support SNI. One notable exception is that no versions of Internet Explorer on Windows XP support SNI. For more information on which browsers support SNI, please see SNI browser support.

To use SNI on Apache, please make sure you complete the instructions on the Apache SSL installation page. Then continue with the steps on this page.

Setting up SNI with Apache

To use additional SSL Certificates on your server you need to create another Virtual Host. As a best practice, we recommend making a backup of your existing .conf file before proceeding. You can create a new Virtual Host in your existing .conf file or you can create a new .conf file for the new Virtual Host. If you create a new .conf file, add the following line to your existing .conf file:

Include my_other_site.conf

Next, in the NameVirtualHost directive list your server’s public IP address, *:443, or other port you’re using for SSL (see example below).

Then point the SSLCertificateFile, SSLCertificateKeyFile, and SSLCertificateChainFile to the locations of the certificate files for each website as shown below:

NameVirtualHost *:443

<VirtualHost *:443>
 ServerName www.yoursite.com
 DocumentRoot /var/www/site
 SSLEngine on
 SSLCertificateFile /path/to/www_yoursite_com.crt
 SSLCertificateKeyFile /path/to/www_yoursite_com.key
 SSLCertificateChainFile /path/to/DigiCertCA.crt
</VirtualHost>

<VirtualHost *:443>
 ServerName www.yoursite2.com
 DocumentRoot /var/www/site2
 SSLEngine on
 SSLCertificateFile /path/to/www_yoursite2_com.crt
 SSLCertificateKeyFile /path/to/www_yoursite2_com.key
 SSLCertificateChainFile /path/to/DigiCertCA.crt
</VirtualHost>

If you have a Wildcard or Multi-Domain SSL Certificate all of the websites using the same certificate need to reference the same IP address in the VirtualHost IP address:443 section like in the example below:

<VirtualHost 192.168.1.1:443>
 ServerName www.domain.com
 DocumentRoot /var/www/
 SSLEngine on
 SSLCertificateFile /path/to/your_domain_name.crt
 SSLCertificateKeyFile /path/to/your_private.key
 SSLCertificateChainFile /path/to/DigiCertCA.crt
</VirtualHost>
<VirtualHost 192.168.1.1:443> ServerName site2.domain.com DocumentRoot /var/www/site2 SSLEngine on SSLCertificateFile /path/to/your_domain_name.crt SSLCertificateKeyFile /path/to/your_private.key SSLCertificateChainFile /path/to/DigiCertCA.crt </VirtualHost>

Now restart Apache and access the https site from a browser that supports SNI. If you set it up correctly, you will access the site without any warnings or problems. You can add as many websites or SSL Certificates as you need using the above process.