Building a sound foundation

Introduction
- What?
- Why?
- How?
Keep only required modules
- Nginx
- Apache
Disable unwanted services
- Apache
- Nginx
Restrict file and directory access
- Apache
- Nginx
Disable unwanted HTTP methods
- Nginx
- Apache
Create non-root users
Install and use ModSecurity
Install and use ModEvasive
Set up and configure logging
- Nginx
- Apache

Resolving TLS issues

Introduction
- What?
- Why?
- How?
(Re)configure TLS
Manually specify cipher suite
Configure forward secrecy

Preventing information disclosure

Introduction
- What?
- Why?
- How?
Hide web server information
- Apache
- Nginx
Disable directory listing

Setting HTTP security headers

Introduction
- What?
- Why?
- How?
Check your HTTP security headers
HTTP Strict Transport Security (HSTS)
- Nginx
- Apache
- Resources
X-Frame-Options
- Nginx
- Apache
- Resources
Content Security Policy (CSP)
- Nginx
- Apache
- Resources
Permissions-Policy
- Apache
- Nginx
- Resources
Referrer-Policy
- Apache
- Nginx
- Resources
X-Content-Type-Options
- Apache
- Nginx
- Resources
X-XSS-Protection
- Apache
- Nginx
- Resources
Set-Cookie
- Resources
Content-Type
- Resources

Using CORS

Introduction
- What?
- Why?
- How?
CORS best practices
CORS on Nginx
- Resources
CORS on Apache
- Resources

Hardening webserver

Ty Myrddin Home
Unseen University
Improbability Blog
About
Contact

CORS on Apache

Resources

MDN Web docs: Cross-Origin Resource Sharing (CORS)
MDN Web docs: Access-Control-Allow-Origin
How to Set Access-Control-Allow-Origin (CORS) Headers in Apache

Previous

Unseen University, 2024, with a forest garden fostered by /ut7.