Secure Web Applications

We all certainly agree thing that SSL/TLS is start point in making your web secure, but are there many other things which must be respect. If you forgot only one, you can be hacked by everyone in the world ! From this purposes I collect several settings for my stack (Django, Gunicorn, Nginx), but most things are platform independent.

Certificate

First what you need is SSL/TLS Certificate, in last year was released Let's Encrypt which provides CA as a Service for everyone(for hackers..), i write Salt formula for configuring Let's Encrypt.

Ciphers

Setting up right ciphers you make some users sad(IE), but other will be happy.

SSL Config Generator

HSTS

HTTP Strict Transport Security (HSTS) is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol.

CSP

The new Content-Security-Policy HTTP response header helps you reduce XSS risks on modern browsers by declaring what dynamic resources are allowed to load via a HTTP Header.

http://content-security-policy.com/

HTTP2

I think that HTTP2 is what we need five years ago, but his journey just starts now. Nginx has support for HTTP2 since 1.9.5 but I have problems with Gzip in 1.9.9-1. Certainly security benefit is that HTTP2 is supported only with SSL/TLS which makes this unusable on 85% web sites now.

Django Secure Configuration

By default Django has most of SSL things disabled, because SSL is still only for privileged users which has money for certificates.

This is only my general recommendation, but you must knows what these things means, because you can broke your sites.

# Pass this header from the proxy after terminating the SSL,
# and don't forget to strip it from the client's request.
# For more information see:
# https://docs.djangoproject.com/en/1.8/ref/settings/#secure-proxy-ssl-header
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
# Secure the cookies from security exploits
CSRF_COOKIE_SECURE = True
SESSION_COOKIE_SECURE = True
# for sure
SECURE_SSL_REDIRECT = True

XSS

Never blindly accept html from your users ! For example if you have Form Builder which allows you to create forms which are publicly submitted by everyone, your admin session could be hijacked.
For simple test your inputs/outputs write <script>alert(1)</script> when your browser fires alert then you are hijacked !