--- slug: tls-and-header-fixes title: "TLS and Header Fixes" date: "2021-10-21T10:22:04-04:00" draft: false pics: ssllabs: css: "image" tip: "SSL Labs scan results." sources: - "/files/posts/tls-and-header-fixes/ssllabs.webp" - src: "/files/posts/tls-and-header-fixes/ssllabs.png" width: 990 height: 506 securityheaders: css: "image" tip: "Security Headers scan results." sources: - "/files/posts/tls-and-header-fixes/securityheaders.webp" - src: "/files/posts/tls-and-header-fixes/securityheaders.png" width: 1226 height: 297 lighthouse-desktop: css: "image" tip: "Lighthouse desktop scan results." sources: - "/files/posts/tls-and-header-fixes/lighthouse-desktop.webp" - src: "/files/posts/tls-and-header-fixes/lighthouse-desktop.png" width: 488 height: 192 --- Yesterday I scanned this site using the following tools: * [SSL Labs: SSL Server Test][ssllabs]: [TLS][] version, [cipher suites][cipher-suite], and security headers scanner. * [Security Headers][securityheaders]: [HTTP][] response security headers scanner. * [Lighthouse][lighthouse]: Page performance and accessibility scanner. I made a several [Apache][] configuration changes based on the initial scan results: 1. Disabled ancient versions of [TLS][]. 2. Set an explicit [cipher suite list][cipher-suite] using the [Mozilla SSL Configuration Generator][ssl-config-gen]. 3. Refined the value of the `Access-Control-Allow-Origin` header. 4. Added two new headers: `Referrer-Policy` and `Permissions-Policy`. After a couple of iterations of changes and testing, I: * Updated [my recent post][response-header-post] to reflect the response header changes in the [Apache][] configuration. * Applied the same changes (with minor tweaks) to several other sites. **Tip:** Use the [Mozilla SSL Configuration Generator][ssl-config-gen] to generate your [TLS][] configuration. It has three client profiles ("modern", "intermediate", and "old") and supports a variety of servers (web, email, database, application, etc). Random thoughts: * Static site generators like [Hugo][] and [Jekyll][] make it easy to check off many performance and security requirements. * As an industry, we still have not learned to ["have one joint and keep it well oiled"][lesson] when dealing with security. Notable exception: [Wireguard][]. Screenshots of the improved scan results are available below. Click the [SSL Labs][ssllabs] and [Security Headers][securityheaders] pictures to see the scan details. [{{< pe-figure "ssllabs" >}}][ssllabs-results] [{{< pe-figure "securityheaders" >}}][securityheaders-results] {{< pe-figure "lighthouse-desktop" >}} [ssllabs]: https://www.ssllabs.com/ssltest/ "TLS version, cipher suite, and response header scanner." [securityheaders]: https://securityheaders.com/ "HTTP response header scanner." [lighthouse]: https://developers.google.com/web/tools/lighthouse "Page performance and accessibility scanner." [cipher-suite]: https://en.wikipedia.org/wiki/Cipher_suite "Set of cryptographic algorithms." [tls]: https://en.wikipedia.org/wiki/Transport_Layer_Security "Transport Layer Security" [http]: https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol "HyperText Transfer Protocol" [apache]: https://apache.org/ "Apache web server." [response-header-post]: {{< ref "/posts/2021-10-19-hugo-csp-impedance-mismatch.md" >}} "My recent post on Hugo and HTTP response headers." [ssl-config-gen]: https://ssl-config.mozilla.org/ "Mozilla SSL Configuration Generator" [ssllabs-results]: https://www.ssllabs.com/ssltest/analyze.html?d=pablotron.org&hideResults=on "SSL Labs scan results." [securityheaders-results]: https://securityheaders.com/?q=pablotron.org&hide=on&followRedirects=on "Security Headers scan results." [postgres]: https://postgresql.org/ "PostgreSQL relational database server." [lesson]: https://www.imperialviolet.org/2016/05/16/agility.html "Cryptographic Agility, by Adam Langley." [wireguard]: https://www.wireguard.com/ "Wireguard VPN" [hugo]: https://gohugo.io/ "Hugo static site generator." [jekyll]: https://jekyllrb.com/ "Jekyll static site generator."