General Information

Verifying security settings on web servers.

Checklist

• Apache HTTPD or Nginx

Ciphers - Check what will be used by openssl

openssl ciphers -v 'HIGH:!MEDIUM:!3DES:!ADH:!AECDH:!DHE:!EDH:!RC4'

Ciphers - Perform a SSL Scan on the web server

sslscan --no-failed 192.168.1.123:443

• Look for “Supported Server Cipher(s)” and “Preferred Server Cipher(s)”

Ciphers - Perform a SSL Scan on the web server, get just the Accepted lines

sslscan --no-failed 192.168.1.123:443 | grep Accepted

Verify set HTTP headers, HSTS and others.

curl --head https://mysite.domain.com/