A checklist for securing websites and domains
HSTS, CAA, SPF…
I've compiled below the things I've done to secure this site and domain. These lists do not include software and configuration for other applications on the server.
Websites #
- Use HTTPS to encrypt web content in transit. Obtain free TLS certificates from LetsEncrypt [1].
- Listen on port 80 and forward to port 443.
- Disable TLSv1.0 and TLSv.1.1, as they are outdated [2].
- Send the HSTS header: A web server header that tells browsers to always use HTTPS [3]. The browser must either receive the HSTS header from the site or see the domain on the HSTS preload list.
- Get on the HSTS preload list: An opt-in list of domains distributed to browsers to tell them to always use HTTPS [4].
- Configure server to send response headers as recommended by the OWASP Secure Headers Project [5]. You can check which of them are configured using a tool like Geekflare [6].
- Install, enable, and configure a Web Application Firewall (WAF), like ModSecurity [7] with the OWASP Core Rule Set [8]. WAFs inspect HTTP server traffic and can use rules and heuristics to deny suspicious traffic.
- Disable autoindexing: prevent your web server from automatically generating directory listings for directories that don't have an index file [9] [10].
DNS configuration #
- Create a CAA record to indicate which certificate authorities are authorised
to issue certificates for your domain [11].
- Note: Cloudflare may automatically add CAA records so that it can serve reverse-proxied sites [12].
- Email
- Add a Sender Policy Framework (SPF) record to indicate which senders are allowed to send mail on behalf of a domain. [13]
- Configure DomainKeys Identified Mail (DKIM). Digital signatures prove that an email was sent by a sender authorised by the domain (or at least that the sender has the private key). DKIM keys are stored as TXT, but a CNAME record can be created to point to the actual DKIM key. [14]
- Use DKIM key rotation: Mitigate the damage attackers can cause by cracking or stealing the private key by changing it every so often [15].
- Add a DMARC record to indicate what mail servers should do if they receive
an email purportedly from your domain that fails SPF and/or DKIM
alignment [16]. Indicate the email address where alerts of messages
failing alignment should be sent to by setting
rua[17]. - If you're using OpenPGP, add a CNAME record for
openpgpkeythat points to a key server where public keys can be found for email addresses at your domain [18].
Service-specific configuration items #
- Cloudflare reverse proxy settings
- Netlify
- Add the OWASP Secure Headers Project-recommended headers using
_headersornetlify.toml[20]
- Add the OWASP Secure Headers Project-recommended headers using
Footnotes #
[1] Let's Encrypt (letsencrypt.org), Certbot (certbot.eff.org) ^
[2] RFC8996 Deprecating TLS 1.0 and TLS 1.1 (datatracker.ietf.org) ^a^b
[3] Mozilla Developer Network Web Docs - Strict-Transport-Security (developer.mozilla.org) ^a^b
[4] HSTS Preload List Submission (hstspreload.org) ^
[5] OWASP Secure Headers Project: Response Headers (owasp.org) ^
[6] Geekflare: Secure Header Test (geekflare.com) ^
[7] ModSecurity: Open Source Web Application Firewall (github.com) ^
[8] OWASP ModSecurity Core Rule Set (coreruleset.org) ^
[9] mod_autoindex - Apache HTTP Server (httpd.apache.org) ^
[10] Module ngx_http_autoindex_module - Nginx (nginx.org) ^
[11] DNSimple Help: What's a CAA record? (support.dnsimple.com) ^
[12] Cloudflare Docs: CAA records (developers.cloudflare.com) ^
[13] DNSimple Help: What's an SPF record? (support.dnsimple.com) ^
[14] RFC6376 DKIM Signatures (datatracker.ietf.org) ^
[15] EasyDMARC: What is DKIM Key Rotation? (easydmarc.com) ^
[16] DNSimple Help: What's a DMARC record? (support.dnsimple.com) ^
[17] EasyDMARC: What are RUA and RUF in DMARC? (easydmarc.com) ^
[18] RFC7929 ยง 5: Application Use of OPENPGPKEY (datatracker.ietf.org) ^
[19] Cloudflare Docs: Encryption mode (developers.cloudflare.com) ^
[20] Netlify Docs: Custom headers (docs.netlify.com) ^