Suggested Webserver security settings


#Security Settings start
#https://securityheaders.io/?q=blog.fawcs.info&hide=on&followRedirects=on
#HSTS-enabled
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; pre
#Content-Security-Policy
Header always set Content-Security-Policy "default-src https: data: 'unsafe-inline' '
#Public-Key-Pins


#X-Frame-Options
Header always set X-Frame-Options "SAMEORIGIN"
#X-XSS-Protection
Header always set X-Xss-Protection "1; mode=block"
#X-Content-Type-Options
Header always set X-Content-Type-Options "nosniff"

SSLProxyEngine on
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3 -TLSv1
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+S !3DES !MD5 !EXP !PSK !SRP !DSS"

#Custom Settings
TraceEnable off
ServerSignature Off
ServerTokens Prod

Leave a Reply

Your email address will not be published. Required fields are marked *