“Ignoring security risk doesn’t make you any less responsible… or liable.” – John Ball
A multi-part series by John Ball, Phillip Kuzma, and Ted Nass on web server security.
Hardenize reminded us that their was more to our internet-facing presence than just encrypted protocols and told us that we needed to tighten up our DNS and email security. Honestly I (John) forgot about the weaknesses around email and DNS security dealing with the daily grind of other INFOSEC issues.
Hardenize is just cool. Remember we are suckers for good grades and green boxes. One thing we like about Hardenize over SSL Labs is that you can drill down for more information on the items implemented or not implemented. Hardenize was the service that reminded us about our (lack of) DMARC setup and is another one of those nice services that we’ve added to our website footer for https://www.johndball.com and https://www.powershellmagic.com.
Similar to SSL Lab’s report, start with your domain issues identified under the “Domain” section. Correct your Name Servers and CAA if possible and correct the issues under the “WWW” section. Knock out TLS, certificates, and mixed content issues. Once those items are finished check out some more advanced features such as:
- Public-side DNSSEC
- SRI – Sub Resource Integrity can be configured on WordPress by using the Subresource Integrity (SRI) Manager plugin. You’ll need to use Hardenize to run a report and view the SRI results provided. You’ll then need to jump between Hardenize and your plugin settings and enable or disable resources that cannot support SRI. One resource that required disabling in our tests was the Google Fonts resource.
Resources used in this post: