Web sites are often hacked and compromised, mostly by the use of injected third party scripts running on advertising and tracking servers that many sites liberally link from their pages.
Because historically browsers tend to do exactly what they are told, new HTTP headers keep being added that attempt to mitigate web page exploits and tracking. Fortunately there are web sites that will test your public domains such as: https://observatory.mozilla.org/ Essentially, SSL is now considered a requirement and browsers are increasing distrusted non-SSL sites, warning when passwords are entered without SSL, and finally may block non-SSL sites. Even running SSL and non-SSL is no longer considered good practice, a pity since the IcsHosts concept added earlier this year makes this easy in the ICS web server. Instead all port 80 accesses should be redirected to port 443 with SSL, which can also be done using IcsHosts as illustrated in the new OverbyteIcsSslMultiWebServ multi web server sample. To provide the best protection, the ICS web server PersistentHeader property should be set to add the following headers to all web pages: Strict-Transport-Security: max-age=31536000; includeSubDomains X-Content-Type-Options: nosniff X-Frame-Options: DENY X-XSS-Protection: 1;mode=block Content-Security-Policy: default-src 'self' Referrer-Policy: same-origin However note these headers mean many old web pages using inline style and script tags will no longer work, because these are the means that malicious code is injected into web pages. Instead, all styles should be in .CSS files, and scripts in .JS files, and onevent tags replaced by DOM events. To avoid all this, the Content-Security-Policy header has many options to allow inline scripts, but this means malicious scripts may run as well. Also some web pages do need external scripts, for instance Google fonts or maps, for maps I use: Content-Security-Policy: script-src 'self' https://maps.googleapis.com https://maps.gstatic.com; object-src 'self' Also, the nosniff header above means script and style files must have the correct MIME type to be executed, this required a fix to the ICS MimeTypesList to get the correct Javascript type, in ICS V8.50. With these changes, my ICS web server site now gets a A+ rating from Mozilla. Angus -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
