I use a lot of online services for personal and business purposes. However I usually never sign up for anything without checking their security first.
Using a small number of free & online tools, I will show you how I check the security & privacy of websites before signing up. This will be quick introduction to basic website security which every organisation, website & service should have in place.
15. X-Xss-Protection
Tells visiting web browsers how to handle input weaknesses in how
webpages handles input. This reduces the risk of phishing and session
hijacking.
Best configuration:
X-XSS-Protection: 1; mode=block
16. X-Frame-Options
Tell browsers that your website CAN NOT be displayed inside another
«frame» on a webpage, effectively reducing the risk of phishing attacks.
Example configuration:
add_header X-Frame-Options "SAMEORIGIN" always;
17. HSTS (Strict Transport Security) – RFC 6797
HSTS tells visiting web browsers to always use HTTPS when connecting
to the website, for N period of time.
This only works for websites that offers HTTPS.
18. HPKP (Public Key Pinning) – RFC 7469
HPKP goes one step further compared to HSTS, by adding your website
to a preloaded list in web browsers, telling them to use HTTPS even the
first time they connect to a website. Additionally HPKP tells browsers
which certificates to expect at all sites using HPKP.
This will very effectively block most MitM attacks, but requires good
technical knowledge to implement and maintain.
19. CSP – Content Security Policy
A CSP is a set of rules that a website sends to a visiting client browser,
telling the browser which external sites that are allowed to serve
content for the web page.
A lot of companies does MitM of plaintext HTTP traffic, in order to
inject or replace ads and other information for the end user. CSP will
prevent this from happening. However HTTPS should be used to
protect the CSP itself from MitM attacks.
