hardening SSL + HEADER (!10) · Merge requests · indiehost / haproxy · GitLab

Ozoux requested to merge jodumont:patch-1 into master Sep 08, 2017

Created by: jodumont

global option == no-sslv3 no-tls-tickets force-tlsv12

CAMELIA CIPHER == on the way to be NIST & HIPAA Compliant

redirect only if not already SSL
Hardening HEADER with: ++ X-Frame-Options:\ SAMEORIGIN # OR DENY is another option ++ X-XSS-Protection ++ X-Content-Type-Options == nosniff ++ Referrer-Policy == no-referrer-when-downgrade

which bring the security headers grade from E to B tested with https://securityheaders.io

NOTE: Public-Key-Pins is more or less a DEAD project (https://blog.qualys.com/ssllabs/2016/09/06/is-http-public-key-pinning-dead) Content-Security-Policy is tricky to make it GENERAL