linux_wiki:webserver_security_verification

This is an old revision of the document!

Webserver Security Verification

General Information

Verifying security settings on web servers.

Checklist

  • Apache HTTPD or Nginx

Verify SSL Ciphers

Ciphers - Check what will be used by openssl 

openssl ciphers -v 'HIGH:!MEDIUM:!3DES:!ADH:!AECDH:!DHE:!EDH:!RC4'


Ciphers - Perform a SSL Scan on the web server 

sslscan --no-failed 192.168.1.123:443
  • Look for “Supported Server Cipher(s)” and “Preferred Server Cipher(s)”


Ciphers - Perform a SSL Scan on the web server, get just the Accepted lines 

sslscan --no-failed 192.168.1.123:443 | grep Accepted

Verify HTTP Headers

Verify set HTTP headers, HSTS and others. 

curl --head https://mysite.domain.com/
  • linux_wiki/webserver_security_verification.1521836058.txt.gz
  • Last modified: 2019/05/25 23:50
  • (external edit)