[tor-talk] Hardenize TorProject Website
bo0od
bo0od at riseup.net
Sun May 2 16:34:51 UTC 2021
Hi There,
Checking Torproject website configs there are some stuff are outdated,or
needed...lets see:
* https://www.hardenize.com/report/torproject.org/1619971139#www_tls
- TLS 1.0, 1.1 Deprecated since 2020
- Disable weak ciphers
Duo to the usage of TLS 1.0,1.1 website got B grade from SSLlabs:
https://www.ssllabs.com/ssltest/analyze.html?d=torproject.org
* https://www.hardenize.com/report/torproject.org/1619971139#www_hsts
- Preload policy doesn't satisfy preload requirements because:
"This HSTS policy doesn't cover subdomains, which is a requirement for
preloading. Additionally, without full coverage, HSTS can't protect from
certain cookie attacks that typically allow active network attackers to
inject cookies into an application."
* https://www.hardenize.com/report/torproject.org/1619971139#www_xxssp
- Enforce XSS protection
"Name: X-Xss-Protection
Value: 1"
It should be:
"Name: X-Xss-Protection
Value: 1; mode=block"
* https://securityheaders.com/?q=torproject.org&followRedirects=on
* https://observatory.mozilla.org/analyze/torproject.org
- Content-Security-Policy: This policy contains 'unsafe-inline' which is
dangerous in the style-src directive.
- (Experimental but maybe worth attention?) -> Permissions-Policy:
https://scotthelme.co.uk/goodbye-feature-policy-and-hello-permissions-policy/
Why experimental?
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
ThX!
More information about the tor-talk
mailing list