This is a general HTTP security thread for anyone willing to discuss, help newbies or learn more about HTTP security in general.
Who among you running your own Web server? Do you secure your traffic with TLS and HTTP security headers? Do you enforce a secure connection using HSTS [1]? Do you ensure that user agents pin your server's public certificate with HPKP [2]? Do you enforce content restrictions with CSP [3]?
The following websites help you check your server's security:
https://www.ssllabs.com/ssltest/index.html
https://observatory.mozilla.org/
https://securityheaders.io/
Or you can do a basic check yourself using the following tools:
sslscan
sslyze
observatory-cli
[1] https://tools.ietf.org/html/rfc6797
[2] https://tools.ietf.org/html/rfc7469
[3] https://www.w3.org/TR/CSP2/
>>60762937
Is there anything wrong with opening up my server to the internet and allowing anons to access the ftp server? Would like to start home admining but am afraid of getting btfo by the one hacker who lurks here.
It is simply a freenas setup with the ftp server living in a chroot. Is that secure enough?
>>60762937
Good thread OP
>>60763901
If you run a read-only secure FTP daemon, and keep it up-to-date with the latest security patches, in a chroot jail, you seem pretty safe, indeed.
>>60762937
>HSTS
its shit
>>60765166
>The excrete of HSTS
>>60762937
I have content restrictions and forced HTTPS (HTTP only ever responds with 301 anyway), but I don't use HPKP
It's not a commercial server tho, nor does it deal with anything that involves money.
>>60765377
Here, might as well include this.
>>60764472
Running it with anonymous logins without passwords enabled still safe? Not even sure comcast will allow me to forward a port
>>60765522
Only if you don't allow uploads. My server gets portscanned and vulnerability scanned 20+ times a day by skiddies.
>>60765522
If your read-only anonymous FTP daemon is running in a chroot jail with its latest security patches, I don't see why not.
>>60765522
Honestly, I don't feel safe even using the internet with a dns pointed at my public IP. Feels too weird having my name out there, having any website I go on being allowed to reverse dns in it.
If you're find having your public IP out like that, hosting a server. Then sure. Just make sure to have a good admin password and fail2ban to get rid of all those chinese fuckers
>>60765973
What? How does that result in your name being out there? Also reverse DNS has to be explicitly set up.
My IP reverses to *.dyn.estpak.ee even though I have a domain name pointed to it.