add posts/2021-10-21-tls-and-header-fixes.md

1 files changed, 102 insertions, 0 deletions

diff --git a/content/posts/2021-10-21-tls-and-header-fixes.md b/content/posts/2021-10-21-tls-and-header-fixes.md
new file mode 100644
index 0000000..430561d
--- /dev/null
+++ b/content/posts/2021-10-21-tls-and-header-fixes.md
@@ -0,0 +1,102 @@
+---
+slug: tls-and-header-fixes
+title: "TLS and Header Fixes"
+date: "2021-10-21T10:22:04-04:00"
+draft: true
+---
+Yesterday I scanned this site using the following tools:
+
+* [SSL Labs: SSL Server Test][ssllabs]: [TLS][] version,
+  [cipher suites][cipher-suite], and security headers scanner.
+* [Security Headers][securityheaders]: [HTTP][] response security
+  headers scanner.
+* [Lighthouse][lighthouse]: Page performance and accessibility scanner.
+
+I made a several [Apache][] configuration changes based on the
+initial scan results:
+
+1. Disabled ancient versions of [TLS][].
+2. Set an explicit [cipher suite list][cipher-suite] using the
+   [Mozilla SSL Configuration Generator][ssl-config-gen].
+3. Refined the value of the `Access-Control-Allow-Origin` header.
+4. Added two new headers: `Referrer-Policy` and `Permissions-Policy`.
+
+After a couple of iterations of changes and testing, I:
+
+* Updated [my recent post][response-header-post] to reflect the
+  response header changes in the [Apache][] configuration.
+* Applied the same changes (with minor tweaks) to several other
+  sites.
+
+**Tip:** Use the [Mozilla SSL Configuration Generator][ssl-config-gen]
+to generate your [TLS][] configuration.  It has three client profiles
+("modern", "intermediate", and "old") and supports a variety of servers
+(web, email, database, application, etc).
+
+Random thoughts:
+* Static site generators like [Hugo][] and [Jekyll][] make it easy to
+  check off many performance and security requirements.
+* As an industry, we still have not learned to ["have one joint and keep
+  it well oiled"][lesson] when dealing with security.  Notable
+  exception: [Wireguard][].
+
+Screenshots of the improved scan results are available below.  Click the
+[SSL Labs][ssllabs] and [Security Headers][securityheaders] pictures to
+see the scan details.
+
+[{{< figure
+  src="/files/posts/tls-and-header-fixes/ssllabs.png"
+  class=image
+  width=990
+  height=506
+  caption="SSL Labs scan results."
+>}}][ssllabs-results]
+
+[{{< figure
+  src="/files/posts/tls-and-header-fixes/securityheaders.png"
+  class=image
+  width=1226
+  height=297
+  caption=" Security Headers scan results."
+>}}][securityheaders-results]
+
+{{< figure
+  src="/files/posts/tls-and-header-fixes/lighthouse-desktop.png"
+  class=image
+  width=488
+  height=192
+  caption="Lighthouse desktop scan results."
+>}}
+
+[ssllabs]: https://www.ssllabs.com/ssltest/
+  "TLS version, cipher suite, and response header scanner."
+[securityheaders]: https://securityheaders.com/
+  "HTTP response header scanner."
+[lighthouse]: https://developers.google.com/web/tools/lighthouse
+  "Page performance and accessibility scanner."
+[cipher-suite]: https://en.wikipedia.org/wiki/Cipher_suite
+  "Set of cryptographic algorithms."
+[tls]: https://en.wikipedia.org/wiki/Transport_Layer_Security
+  "Transport Layer Security"
+[http]: https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol
+  "HyperText Transfer Protocol"
+[apache]: https://apache.org/
+  "Apache web server."
+[response-header-post]: {{< ref "/posts/2021-10-19-hugo-csp-impedance-mismatch.md" >}}
+  "My recent post on Hugo and HTTP response headers."
+[ssl-config-gen]: https://ssl-config.mozilla.org/
+  "Mozilla SSL Configuration Generator"
+[ssllabs-results]: https://www.ssllabs.com/ssltest/analyze.html?d=pablotron.org&hideResults=on
+  "SSL Labs scan results."
+[securityheaders-results]: https://securityheaders.com/?q=pablotron.org&hide=on&followRedirects=on
+  "Security Headers scan results."
+[postgres]: https://postgresql.org/
+  "PostgreSQL relational database server."
+[lesson]: https://www.imperialviolet.org/2016/05/16/agility.html
+  "Cryptographic Agility, by Adam Langley."
+[wireguard]: https://www.wireguard.com/
+  "Wireguard VPN"
+[hugo]: https://gohugo.io/
+  "Hugo static site generator."
+[jekyll]: https://jekyllrb.com/
+  "Jekyll static site generator."