How to go about strengthening the security of your website?Some issues to consider.When you perform a scan here:
http://isithacked.com/check/One should establish whether there is no Cloaking taking place,
that means the site does not show other code to Google as it does to Googlebot.
Check status codes, they should all be the same.
Are there no spammy looking links?
Any inframes, that could be hidden and malicious?
Is your site blacklisted - Reputation Check
PASSED
Google Safe Browse:OK
Spamhaus Check:OK
Abuse CC:OK
Dshield Blocklist:OK
Cisco Talos Blacklist:O
In the case of a Word Press Security Scan we could get such blacklisting info also, also info on outdated Word Press software,
outdated plug-ins etc. Info on wrong settings like User Enumeration enabled and Directory Listing enabled.
Also we should check webserver excessive info proliferation. Check on IP via shodan.io,
you then also could explore server bugs and vulnerabilities given for that particular host - domain IP.
An example on GoDaddy's with vulnerabilities:
https://www.shodan.io/host/107.180.57.26Note: the device may not be impacted by all of these issues. The vulnerabilities are implied based on the software and version.
That is why making your webserver not talking that loud is so important! (Dazzlepod ip scan - DOM-XSS issue scan).
Please retire vulnerable jQuery libraries. Two ways to check - Retire.JS extension for website developers
https://retirejs.github.io/retire.js/or check here:
http://retire.insecurity.today/#!/scanAnother check for JavaScript errors with an extension like Javascript Errors Notifier.
Web Developer extension gives a complete range of tools - then open Ctrl+Shift+I
This for website developers -
Also important to know about security header implementation, check through an extension like RECX Security Analyzer.
Or just scan:
https://www.immuniweb.com/websec/ and here:
https://observatory.mozilla.org/Then just generate your CSP:
https://www.cspisawesome.com/It is not good to read for example:
X-Frame-Options header is missing
-2 X-XSS-Protection header is missing
-1 X-Content-Type-Options header is missing
In the next posting we look over other aspects and will go a-linting,
polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)