Tests

Security

HTTPS

Every request which tries to load a page in non-secure way (http) should get back just redirect pointing to a secure URL.

• https://en.wikipedia.org/wiki/HTTPS

How to set up SSL redirect

Kubernetes:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/from-to-www-redirect: "true"

Nginx:

server {
  listen 80;
  listen [::]:80;
  server_name example.com www.example.com; 
  return 301 https://example.com$request_uri;
}

HSTS

• https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
• https://owasp.org/www-project-secure-headers/#http-strict-transport-security

Fingerprint

• https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server

How to remove server header

Kubernetes:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/configuration-snippet: |
      more_clear_headers "Server";

Nginx:

http {
  ...
  more_clear_headers Server;
  ...
}

Permissions policy

• https://owasp.org/www-project-secure-headers/#permissions-policy

Referrer policy

• https://owasp.org/www-project-secure-headers/#referrer-policy

X-Frame-Options

• https://owasp.org/www-project-secure-headers/#x-frame-options

How to set X-Frame-Options header

Kubernetes:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/configuration-snippet: |
      more_set_headers "X-Frame-Options: DENY";

Nginx:

add_header X-Frame-Options "DENY";

Apache:

Header always set X-Frame-Options "DENY"

X-XSS-Protection

• https://owasp.org/www-project-secure-headers/#x-xss-protection

How to set X-XSS-Protection header

Kubernetes:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/configuration-snippet: |
      more_set_headers "X-XSS-Protection: 0";

Nginx:

add_header X-XSS-Protection "0";

Apache:

Header always set X-XSS-Protection "0"

HTML

JavaScript

CSS

Image

Anchor

WordPress

Default files

When WordPress is installed it will leave some unnecessary files in the structure. These files can reveal it is a WordPress site and some of them can also reveal its version.

For example there is /wp-admin/install.php where in the source code is:

<link rel='stylesheet' id='dashicons-css'  href='/wp-includes/css/dashicons.min.css?ver=5.4.2' type='text/css' media='all' />

Delete unnecessary files

• /readme.html
• /licence.txt
• /wp-config-sample.php
• /wp-admin/install.php
• /wp-admin/upgrade.php

Generator

There are multiple places where WordPress adds information about itself including version. It is recommended to hide all these occurences, so no one knows if the page is generated by WordPress or which version of WordPress.

<meta name="generator" content="WordPress 5.4.2" />

Remove generator tag from HTML

// functions.php
<?php
remove_action('wp_head', 'wp_generator');

Remove generator tag from RSS feed

// functions.php
function remove_wp_version_rss() {
  return '';
}

add_filter('the_generator','remove_wp_version_rss');