Security improvements

    I did a security scan on my system (i-mscp 1.2.15) and I think the following advisories are important:


    1. Missing httpOnly Cookie Attribute

    Code
    1. The cookies:Set-Cookie: iMSCP_Session=h473no9u689i4sht5fshqogbg4; path=/ are missing the httpOnly attribute.

    Set session.cookie_httponly = true in all php.ini files.


    see: https://www.owasp.org/index.php/HttpOnly



    2. SSL Weak Ciphers in POP3S, IMAPS, SMTPS, POP3-SSL, IMAP-SSL, SMTP-SSL


    Code
    1. Weak ciphers offered by this service:
    2. TLS1_RSA_RC4_128_MD5
    3. TLS1_ECDHE_RSA_WITH_RC4_128_SHA
    4. TLS1_RSA_RC4_128_SHA
    5. TLS1_RSA_RC4_128_MD5
    6. TLS1_ECDHE_RSA_WITH_RC4_128_SHA
    7. TLS1_RSA_RC4_128_SHA
    8. TLS_1_2_RSA_WITH_RC4_128_MD5
    9. TLS_1_2_RSA_WITH_RC4_128_SHA

    Add default secure ciphers.

    3. HSTS and Hardening for Apache and nginx


    for Apache, add to config/apache/parts/domain_ssl.tpl


    Code
    1. <VirtualHost {DOMAIN_IP}:443> ... Header always set Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'" Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" Header always set X-Content-Type-Options "nosniff" Header always set X-Frame-Options "SAMEORIGIN" Header always set X-Xss-Protection "1; mode=block" ... </VirtualHost>


    for nginx add to config/nginx/00_master_ssl.conf


    Code
    1. server {
    2. server_name {BASE_SERVER_VHOST};
    3. ....
    4. add_header Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'" always;
    5. add_header Strict-Transport-Security max-age=31536000;
    6. add_header X-Content-Type-Options "nosniff" always;
    7. add_header X-Frame-Options "SAMEORIGIN" always;
    8. add_header X-Xss-Protection "1; mode=block" always;
    9. ....
    10. }


    4. HPKP for Apache and nginx


    For HPKP you need to get a base64 encoded fingerprint of the certificate, please have a look at https://scotthelme.co.uk/hpkp-http-public-key-pinning/

    Edited once, last by Starlight ().

    Quote from Starlight

    4. HPKP for Apache and nginx


    For HPKP you need to get a base64 encoded fingerprint of the certificate, please have a look at scotthelme.co.uk/hpkp-http-public-key-pinning/

    I hope you really know what you are doing with HPKP, because if you make a mistake you block your visitors for the time of the max-age value.

    HSTS feature for customers is already implemented in 1.3.x branch.