In virtually all cases, web services are sold to the general public - either in the form of WordPress hosting, or for those more advanced, a VPS. However, on every occasion I’ve been party to, the website and associated webserver itself are never secured properly unless the recipient of such services knows how to do this.
Own your own domain ? Host your own website, or is someone hosting it for you ? Go over to https://securityheaders.io and enter your website address to perform a scan. You shouldn’t be too shocked if you see this returned
It’s an all-too-common site. Unfortunately, it’s also a way for cyber criminals to hijack your server or website, and use it for a whole variety of nefarious purposes. Fortunately, it’s relatively simple to secure websites and servers against these issues by adding the below control directives into (for example) Apache - NGINX is also possible, but the configuration differs slightly. Here’s an example of the ones you’d add for Apache
Header set X-Content-Type-Options: nosniff
Header set X-XSS-Protection: "1; mode=block"
Header set X-Download-Options: "noopen"
Header set X-Permitted-Cross-Domain-Policies: "none"
Header set Referrer-Policy: "no-referrer"
Header set X-Frame-Options: DENY
Header set Content-Security-Policy: upgrade-insecure-requests
Header set Feature-Policy "vibrate 'none'; geolocation 'none';"
Header set X-Powered-By: "domain.com"
Header set Access-Control-Allow-Origin: *.domain.com
Header set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
Substitute “domain.com” for your own domain. Save the configuration file, then restart your Apache web server.
Re-run the test again, and you should see