[tor-talk] Hardenize TorProject Website
bo0od at riseup.net
Sun May 2 16:34:51 UTC 2021
Checking Torproject website configs there are some stuff are outdated,or
- TLS 1.0, 1.1 Deprecated since 2020
- Disable weak ciphers
Duo to the usage of TLS 1.0,1.1 website got B grade from SSLlabs:
- Preload policy doesn't satisfy preload requirements because:
"This HSTS policy doesn't cover subdomains, which is a requirement for
preloading. Additionally, without full coverage, HSTS can't protect from
certain cookie attacks that typically allow active network attackers to
inject cookies into an application."
- Enforce XSS protection
It should be:
Value: 1; mode=block"
- Content-Security-Policy: This policy contains 'unsafe-inline' which is
dangerous in the style-src directive.
- (Experimental but maybe worth attention?) -> Permissions-Policy:
More information about the tor-talk