Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hardenize Website #16

Open
Nurmagoz opened this issue Jul 28, 2021 · 1 comment
Open

Hardenize Website #16

Nurmagoz opened this issue Jul 28, 2021 · 1 comment
Assignees
@Vitexus
Labels
enhancement

Comments

@Nurmagoz
Copy link

Its better for the visitors so as users to have secure path/browsing when they use vitex website/repo.

So here are some useful scanners to show useful reports on where the issues are:

https://www.hardenize.com/report/vitexsoftware.cz/1627479787 (many missing features)
https://www.ssllabs.com/ssltest/analyze.html?d=www.vitexsoftware.cz&s=213.151.89.97 (B)
https://securityheaders.com/?q=www.vitexsoftware.cz&followRedirects=on (F)
https://observatory.mozilla.org/analyze/www.vitexsoftware.cz (F)

Important missing features/configs:

From ssllabs scanner:

https://www.ssllabs.com/ssltest/analyze.html?d=www.vitexsoftware.cz&s=213.151.89.97

We find:

  • Check certificate expiray

Valid until | Tue, 22 Jun 2021 15:34:45 UTC (expired 1 month and 5 days ago)   EXPIRED

  • Disable TLS 1.0 , 1.1 (deprecated) , Allow TLS 1.3
  • Disable weak ciphers
  • OCSP stapling missing
  • Hide Nginx version (better practice)

From Hardenize scanner

https://www.hardenize.com/report/vitexsoftware.cz/1627479787

We find:

  • CAA (unless you are using CDN or so then thats different thing)

https://www.hardenize.com/report/vitexsoftware.cz/1627479787#domain_caa

  • Certificate doesn't match hostname

The provided certificate doesn't match the expected hostname.

Expected hostname: vitexsoftware.cz

https://www.hardenize.com/report/vitexsoftware.cz/1627479787#www_certs

  • PHPSESSID: missing HttpOnly , Secure , SameSite

https://www.hardenize.com/report/vitexsoftware.cz/1627479787#www_cookies

  • HSTS , HSTS-Preload missing

https://www.hardenize.com/report/vitexsoftware.cz/1627479787#www_hsts

  • CSP missing

https://www.hardenize.com/report/vitexsoftware.cz/1627479787#www_csp

  • webapp security

https://www.hardenize.com/report/vitexsoftware.cz/1627479787#www_xfo
https://www.hardenize.com/report/vitexsoftware.cz/1627479787#www_xxssp
https://www.hardenize.com/report/vitexsoftware.cz/1627479787#www_xcto

From securityheaders

https://securityheaders.com/?q=www.vitexsoftware.cz&followRedirects=on

We find:

Everything is missing :) .

ThX!
@Vitexus
Copy link
Owner

Vitexus commented Jul 29, 2021

Thank you for your issue.

@Vitexus Vitexus self-assigned this Jul 29, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Vitexus Vitexus

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Vitexus @Nurmagoz