Tuesday 29 March 2016

Security Checklist


Is the website only served over https?  


Test : 

$ curl -s -I http://example.org | grep '^HTTP'
                HTTP/1.1 301 Moved Permanently
                $ curl -s -I https://example.org | grep '^HTTP'
                HTTP/1.1 200 OK 


Is the HSTS http-header set?  


Test : 

$ curl -s -I https://example.org | grep '^Strict'
                Strict-Transport-Security: max-age=63072000; includeSubdomains;
              

Is the server certificate at least 4096 bits?  


Test : 

$ openssl s_client -showcerts -connect example.org:443 |& grep '^Server public key'
                Server public key is 4096 bit
             


Is TLS1.2 the only supported protocol?  


Test : 

$ curl --sslv3 https://example.org
curl: (35) Server aborted the SSL handshake
$ curl --tlsv1.0 -I https://example.org
curl: (35) Server aborted the SSL handshake
$ curl --tlsv1.1 -I https://example.org
curl: (35) Server aborted the SSL handshake
$ curl --tlsv1.2 -s -I https://example.org | grep 'HTTP'
HTTP/1.1 200 OK 

Do all supported symmetric ciphers use at least 256 bit keys? 

Test : 

$ nmap --script ssl-enum-ciphers -p 443 example.org
              PORT    STATE SERVICE
              443/tcp open  https
              | ssl-enum-ciphers:
              |   TLSv1.2:
              |     ciphers:
              |       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
              |       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - strong
              |       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong
              |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
              |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
              |       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
              |     compressors:
              |       NULL
              |_  least strength: strong    


Is the Diffie-Hellman prime at least 4096 bits?  

Test : 

$ openssl s_client -connect example.com:443 -cipher "EDH" |& grep "^Server Temp Key"
                Server Temp Key: DH, 4096 bits 

Have you ensured that your content cannot be embedded in a frame on another website?  

Test : 

$ curl -s -I https://example.org | grep '^X-Frame-Options'
                X-Frame-Options: SAMEORIGIN
                $ curl -s -I https://example_2.org | grep '^X-Frame-Options' 
                X-Frame-Options: DENY # Also acceptable 

Have you ensured that the Internet Explorer content sniffer is disabled? 

Test :  

 $ curl -s -I https://example.org | grep '^X-Content'
                X-Content-Type-Options: nosniff
              

Have you disabled password-based login over ssh, and only allowed key-based login?  

Test : 

 $ cat /etc/ssh/sshd_config  | grep '^Password'
                PasswordAuthentication no
              

Do session cookies have the 'Secure' and 'HttpOnly' flag set?  

Test : 

  • $ curl -s -I example.com/url_that_sets_cookie | grep '^Set-Cookie' 

  • Set-Cookie: ****;Path=/;Expires=Fri, 16-Mar-2018 19:18:51 GMT;Secure;HttpOnly;Priority=HIGH


Posted by at No comments:
Subscribe to: Posts (Atom)