linux_wiki:webserver_security_verification [Owlbear Consulting

This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong.

====== Webserver Security Verification ======

**General Information**

Verifying security settings on web servers. 

**Checklist**
  * Apache HTTPD or Nginx

----

====== Verify SSL Ciphers ======

Ciphers - Check what will be used by openssl
<code bash>
openssl ciphers -v 'HIGH:!MEDIUM:!3DES:!ADH:!AECDH:!DHE:!EDH:!RC4'
</code>

\\
Ciphers - Perform a SSL Scan on the web server
<code bash>
sslscan --no-failed 192.168.1.123:443
</code>
  * Look for "Supported Server Cipher(s)" and "Preferred Server Cipher(s)"

\\
Ciphers - Perform a SSL Scan on the web server, get just the Accepted lines
<code bash>
sslscan --no-failed 192.168.1.123:443 | grep Accepted
</code>

----

====== Verify HTTP Headers ======

Verify set HTTP headers, HSTS and others.<code bash>curl --head https://mysite.domain.com/</code>

----