Security Headers

I saw a post on twitter about Security Headers. Basically Security Headers will scan your website and check for some common HTTP Headers that you should be including to make your site more secure. They also include helpful links as to how to fix the issues it finds. On my first scanned it warned me of the following: MISSING Content-Security-Policy, MISSING X-Frame-Options, MISSING X-Xss-Protection, MISSING X-Content-Type-Options, MISSING Public-Key-Pins, and X-Powered-By. After going through their documentation I added all of those headers except for Public Key Pins. I am not 100% on that, my concern is when your certificate expires and you replace it (which on a free certificate happens every year) do you end up with people getting an error on your website for the next week cause they have an old key pinned? Not sure enough about that to actually enable it, which is why I hadn’t previously enabled it. The other headers though I didn’t realize could be an issue so I promptly corrected them. The one thing I couldn’t easily fix was the Server header as apparently that is compiled into NGINX and I wasn’t feeling like compiling my own from source. I was able to remove the version string though. All in all they give some very easy configuration changes you can make to help prevent attacks against your website and I strongly recommend giving their tool a look.

Speaking of security…

Today I came across the following news.┬áThe Chrome security team is considering marking all non-HTTPS sites as insecure (since they are.)┬áCheck out the story here. What this means is that if you don’t setup SSL on your site you are likely to lose users who are going to fear if your site is safe to use. Google has already announced that they are going to score pages higher in their search index if they use encryption and this is just more incentive for people to take the time to secure their sites. In 2014 it no longer makes sense to run a non-encrypted website. Techdirt also covered the story here.

I forgot to mention you can get free SSL certificates at Start SSL so price isn’t an excuse for not upgrading your site.