Free Best Practice Security Guides

Securing Apache - Debian/Ubuntu

Step 3f - Enabling and Configuring Expect-CT - Highly Highly Recommended!!

Enable and Configure Expect-CT

Google's Certificate Transparency project fixes several structural flaws in the SSL certificate system, which is the main cryptographic system that underlies all HTTPS connections. These flaws weaken the reliability and effectiveness of encrypted Internet connections and can compromise critical TLS/SSL mechanisms, including domain validation, end-to-end encryption, and the chains of trust set up by certificate authorities. If left unchecked, these flaws can facilitate a wide range of security attacks, such as website spoofing, server impersonation, and man-in-the-middle attacks. You can find more info on their site.

Directives:

enforce
The optional enforce directive controls whether the browser should enforce the policy or treat it as report-only mode. The directive has no value so you simply include it or not depending on whether or not you want the browser to enforce the policy or just report on it.

max-age
The required max-age directive specifies the number of seconds that the browser should cache and apply the received policy for, whether enforced or report-only.

report-uri
The report-uri directive specifies where the browser should send reports if it does not receive valid CT information. This is specified as an absolute URI.

Change the HTTPS Web site config file <--Add the sections in blue to the file

nano /etc/apache2/sites-available/EXAMPLE_com_ssl.conf

<IfModule mod_ssl.c>
    <VirtualHost *:443>
..............................
<IfModule mod_headers.c>
        Header unset ETag
        FileETag None
        Header unset Server
        Header always set X-Content-Type-Options "nosniff"
        Header always set X-XSS-Protection "1; mode=block"
        Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
        Header set X-Content-Security-Policy "allow 'self';"
        Header set X-Frame-Options DENY
        Header set Cache-Control:public, max-age=31536000
        Header set MyHeader "Feel safe zombiesecured headers in use!!! It took %D microseconds for Zombiesecured to serve this request on %t"
        Header always set Strict-Transport-Security: "max-age=31536000; includeSubDomains; preload"
        Header set Expect-CT enforce,max-age=30, report-uri="url" <--- You can gradually increase the max-age once you are confident that it has been set up properly
</IfModule>
    </VirtualHost>
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

Close and exit the file

ctrl + o (Save)
ctrl + x (Exit)

Restart Apache

systemctl restart apache2

Zombie Security Headers Results

Test results June 20th, 2019 - Image courtesy of Securityheaders.io

PREVIOUS NEXT