This is a general HTTP security thread for anyone willing to discuss, help newbies or learn more about HTTP security in general.
Who among you running your own Web server? Do you secure your traffic with TLS and HTTP security headers? Do you enforce a secure connection using HSTS [1]? Do you ensure that user agents pin your server's public certificate with HPKP [2]? Do you enforce content restrictions with CSP [3]?
The following websites help you check your server's security:
https://www.ssllabs.com/ssltest/index.html
https://observatory.mozilla.org/
https://securityheaders.io/
Or you can do a basic check yourself using the following tools:
sslscan
sslyze
observatory-cli
[1] https://tools.ietf.org/html/rfc6797
[2] https://tools.ietf.org/html/rfc7469
[3] https://www.w3.org/TR/CSP2/
>>60780571
I really like the idea of this thread, but sadly I think it's a bit too specific to gain any real traction.
>>60780922
My DNS security thread was a little more prosperous, yes. I'm thinking of merging both threads, but I fear that would cause the thread to be too broad and generic. What you guys think?
>>60781084
This topic is already extremely specific, I don't think that merging the threads would be too 'generic' at all.
That being said, I think this would make a lot more sense to be part of the Web Dev general, or perhaps something along the lines of "Web Security General"
Either way, I'm off for tonight. Best of luck anon, I'll keep an eye out for your threads.
>>60781296
Thanks for your input, mate. Good night and see you around.
>>60781084
Why not just make a general focusing on security? That's a broad enough topic for the thread not to die while still being specific enough to differ from other threads.
>>60780571
TLS 1.2 only
Currently studying for CCENT. I find these threads very helpful as they give some real world insights. Really looking forward for security general, since I'm going to specialize in that field. Cheers
>>60782113
I might also add some RPKI [1] for you next time, seeing as you aspire to be a network security engineer. Gonna be interesting since I'm a little foggy on the details after a few years, and, guess what, because it hasn't caught on yet (just like IPv6, DNSSEC, DANE, etc! :c )
[1] https://tools.ietf.org/html/rfc6810
>>60782051
Sounds interesting, I might. Seeing as we're limited to a maximum amount of characters for a post I'll also have to be very selective in what I'll include. Good practice.