Among dozens of website security tests, the one from ImmuniWeb really stands out. First of all, in terms of functionality, it leaves the competitors far behind. And yes, it is absolutely free. Today we will tell you how this tool tests your site for security and, most importantly, how to get the highest A+ security rating for your website.
ImmuniWeb Website Security Test is an online tool that allows you to ensure that your web application environment is properly secured. It performs a series of non-intrusive tests that check if your web server configuration follows the best security practices and meets compliance requirements for PCI DSS and GDPR.
This website security test will help system administrators and website developers to launch secure web applications. It checks the configuration of your web server, analyzes your web application firewall (if any) and content management system, its configuration and deployment. In the result rates its security from F (lowest) to A+ (highest).
So let’s have a look at how ImmuniWeb tests website security and what measures you should take to obtain the highest possible A+ security rating.
Web Server Configuration
Configuration of your web server is as important as having your CMS up to date. Properly set HTTP headers can help protect your CMS against a variety of attacks, including zero-day vulnerabilities in your web applications.
HTTP Methods
Web application relies on HTTP methods when processing user-supplied input data. It is recommended to allow only methods that are used by your web application. Also, a web server may expose sensitive information via HEAD, OPTIONS, TRACE, and TRACK methods that should be also disabled if not used by the web application.
HTTP Response Headers
There is a number of HTTP response headers that can improve the overall security of your web application, protecting your users from XSS, CSRF, and clickjacking attacks. Just by properly configuring your server it is possible to mitigate these security issues even if they exist in the web application.
ImmuniWeb Website Security Test checks for the following HTTP response headers:
Server
A default server header that advertises a web server. It is recommended to totally remove this header from your server response. If for some reason this is impossible, then at least the software version should be hidden.
Strict-Transport-Security (also known as HSTS)
This header ensures that the website is accessible over HTTS and HSTS is applied.
X-Frame-Options
The X-Frame-Options header instructs the user’s browser whether the website can be loaded into a frame, iframe, embedded or object HTML tags. This browser feature may allow an attacker to perform a clickjacking attack by loading the contents of your website on a third-party domain.
X-Powered-By
A header that displays the current version of supported technology or content management system. It is advised to always remove this response header.
X-Content-Type-Options
This header instructs the client’s browser on how to treat content, shipped by the webserver based on its MIME type and blocks requests with to files with dangerous MIME types.
X-XSS-Protection
This header as it says in its name is aimed to protect your website visitors against cross-site scripting vulnerabilities that might be present in your web application.
X-AspNet-Version
Reports ASP.NET version in use. Applicable only to a web server that serves ASP.NET content.
Content-Security-Policy (also known as CSP)
CSP is an additional security layer that prevents certain types of attacks, such as XSS and data injections by instructing the browser from which sources the website content is allowed to be loaded.
Expect-CT
This HTTP response header helps to prevent the usage of wrong certificates.
Referrer-Policy
This header controls the volume of information shared via the Referrer HTTP header.
Feature-Policy
This header instructs a browser on the usage of browser features in its own frame/iframe.
Web Application Firewall
Web application firewall must be installed and configured to block malicious requests. There are many WAF vendors and SaaS solutions that can help you protect your web application against malicious activities.
Below is a list of 10 most popular Web Application Firewall vendors with links to configuration instructions:
Note, if your WAF is not blocking malicious requests, it will not be detected by Website security test.
Hardening Microsoft IIS
Configuring HTTP methods
When configuring Microsoft IIS, you have to remember that the web server does not allow you to whitelist the necessary methods only. The server configuration logic allows you to list all methods and precisely allows or denies them. An example of good configuration would look something like this in the Request Filtering feature:
Configuring HTTP Response headers
To configure HTTP response headers in Microsoft IIS, the HTTP Response Headers feature is used.
Hardening nginx
Configuring HTTP methods
For nginx it is possible to use the following configuration to allow only certain HTTP GET and HTTP POST methods:
if ($request_method !~ ^(GET|POST)$ )
{
return 405;
}Configuring HTTP Response headers
add_header Content-Security-Policy "default-src 'self';";
add_header Strict-Transport-Security "max-age=31536000";
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
add_header Referrer-Policy 'strict-origin';
add_header Feature-Policy "microphone 'none'; geolocation 'none'";
add_header Expect-CT "max-age=86400";
add_header Referrer-Policy 'strict-origin';Hardening Apache HTTP Server
Configuring HTTP methods
The following rewrite rule can ensure that only HTTP GET and HTTP POST methods are allowed:
RewriteEngine On
RewriteCond %{REQUEST_METHOD} !^GET [AND]
RewriteCond %{REQUEST_METHOD} !^POST
RewriteRule .* /yourerrordocuments/405.html [R=405,L]Configuring HTTP Response headers
Notes, Apache HTTP server requires a separate module to work with headers. Therefore, it is important to load it before writing any rules.
#Loading headers module
LoadModuleheaders_module modules/mod_headers.so
Header set Content-Security-Policy "default-src 'self';"
Header set Strict-Transport-Security "max-age=31536000"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options "nosniff"
Header set Referrer-Policy 'strict-origin'
Header set Feature-Policy "microphone 'none'; geolocation 'none'"
Header set Expect-CT "max-age=86400"
Header set Referrer-Policy 'strict-origin'Web Application Configuration
Having a securely configured web server is not enough to protect your website from hackers. There are certain important requirements for your content management system:
Using the Latest Software Versions
Your web application must be always up to date. This means that your content management system and all its components should be running the latest stable software version. Most popular content management systems have a built-in feature that allows users to automatically get notifications about new software releases and automatically install updates.
In the context of the website security test, a detailed software composition analysis is performed that includes precise software version fingerprinting. At the time of writing, the website security test is able to fingerprint 200+ web applications and more than 300.000 web application components.
WordPress
Starting from version 3.7 WordPress has a built-in feature to automatically install updates for its core.
The Official WordPress website contains a detailed manual on how to configure background updates for your website.
Recently, a new official plugin from WordPress Team was introduced to check for updates for installed plugins and themes.
Drupal
Automatic updates from Drupal are possible via the Automatic Updates module. There is a possibility to implement supervised and unattended updates to keep your CMS and its modules up to date.
Joomla!
Automatic updates for Joomla! are possible via a third-party extension “Auto Update for Joomla”. This extension allows you to track new software releases for Joomla! itself as well as for installed extensions and components.
Piwigo
Piwigo has a built-in feature to automatically install updates. The official documentation contains instructions for how to use this feature for all supported software branches.
SharePoint
Updates for Microsoft SharePoint are delivered along with Microsoft updates and are installed according to deployed update policy.
Using Secure Cookies
Cookies are often used as a way to pass security-related data from the client’s browser to the web application.
The website security test makes sure that cookies used by the application are properly configured, e.g. have all necessary security flags set: Secure, HttpOnly, SameSite.
Privacy Policy
In order to comply with GDPR requirements, your website should have a privacy policy. The policy should contain information about processing visitor’s information and have a separate page on the website.
Conclusion
So as soon as you take all the measures and fix all possible weaknesses mentioned in this article you can easily rely on A or A+ score for your website security. ImmuniWeb’s website security test A+ score will be great proof that your website is secured and in compliance with the latest security and privacy requirements such as GDPR or PCI DSS.
Hope you and your website will stay safe!
