News

Much work and same design and content II

Today I spent some time to harden security of this website.By adding or improving some headers for communication between server and browsers a most desired A+ -rating was reached.

Base for the work on security was the test on www.htbridge.com/ssl/ where the test www.htbridge.com/websec/ is also included.

Both tests consist of many details and some points might look still improvable but verifying the things a bit more I discovered that some incompatibilities mentioned on the first testpage are related to old standards.

So the tests related to HIPAA and NIST Guidlines recommend still old chiper codes which I can't serve because the new OpenSSL-Version never includes these chipers anymore.

Having a A+-result for the SSL-test risks are very reduced concerning the second test. Nevertheless the usage of TYPO3 requires to weaken some restrictions, this might be the same with any dynamic system that depends also on JavaScript. Therefore the second test results "only" in an A instead of A+.
This "A" was still improved by the following two steps:

  1. Some restrictions concerning Scripts in the content: they can't be embedded directly anymore but have to be included with separated files. So script-files can be secured additional with file-rights and injecting script-code directly inside any page on client-side is not possible anymore.
    After outsourcing a few script for social-buttons for facebook and twitter the restrictions could be increased.
  2. As the CMS TYPO3 doesn't work with this restriction the backend was moved to another domain. Settings  for this domain have to be less restrictive like before for the whole site but like that the backend could be secured easy with an additional second password and security is not only more safe in the statistics but also by steps that are not measured in the tests.

The old value for the first test has been B and the old value for the second test F.
So by changing a few technical details the site is much safer now, and without too much worries customer accounts and forms i.e. contact-form can be implemented now.

Comments (0)

No comments found!

Write new comment

CAPTCHA image for SPAM prevention If you can't read the word, click here.