DNS hijacking (Prevention) Guide 2

The code Strict-Transport-Security: max-age=31536000; includeSubDomains is an HTTP header configuration, written in the HTTP header syntax. HTTP headers are part of the HTTP protocol and are used to convey additional information about an HTTP request or response. In this case, the header is setting HSTS (HTTP Strict Transport Security) for a web server to instruct browsers to enforce HTTPS for the specified duration.

The code Strict-Transport-Security: max-age=31536000; includeSubDomains isn’t written in a traditional programming language like Python or Java. Instead, it’s part of the HTTP protocol. Specifically, it’s an HTTP response header used to instruct browsers to enforce HTTPS connections for a set period, part of HTTP header configuration rather than a coding language. Web servers use configuration files (in languages like NGINX or Apache configuration syntax) to implement this header.

Here are examples of how to set the HSTS header in NGINX and Apache configuration files:

NGINX Configuration

To enable HSTS in NGINX, add the following line to the server block in your NGINX configuration file (typically located at /etc/nginx/nginx.conf or in a site-specific file in /etc/nginx/sites-available/):

server {
    listen 443 ssl;
    server_name example.com;

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    # Other configurations...
}

Apache Configuration

In Apache, add the following line to the .htaccess file or your site’s configuration file (often found in /etc/apache2/sites-available/):

<IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
</IfModule>

After configuring, restart the web server to apply changes (sudo systemctl restart nginx or sudo systemctl restart apache2). This setup enables HSTS, instructing browsers to enforce HTTPS connections

Here’s a full example of a secure server configuration with multiple layers of security for both NGINX and Apache, including SSL/TLS settings, HSTS, XSS protection, and content security policies.

NGINX Configuration

server {
    listen 443 ssl;
    server_name example.com;

    # SSL/TLS configuration
    ssl_certificate /path/to/certificate.crt;
    ssl_certificate_key /path/to/private.key;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384";
    ssl_prefer_server_ciphers on;

    # HSTS (HTTP Strict Transport Security)
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    # X-Content-Type-Options to prevent MIME-type sniffing
    add_header X-Content-Type-Options "nosniff" always;

    # X-Frame-Options to prevent clickjacking
    add_header X-Frame-Options "DENY" always;

    # X-XSS-Protection to enable XSS filtering
    add_header X-XSS-Protection "1; mode=block" always;

    # Content Security Policy (CSP)
    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; object-src 'none'" always;

    # Additional configurations (example)
    root /var/www/example.com;
    index index.html index.htm;

    location / {
        try_files $uri $uri/ =404;
    }
}

Apache Configuration

<VirtualHost *:443>
    ServerName example.com

    # SSL/TLS configuration
    SSLEngine on
    SSLCertificateFile /path/to/certificate.crt
    SSLCertificateKeyFile /path/to/private.key
    SSLProtocol TLSv1.2 TLSv1.3
    SSLCipherSuite HIGH:!aNULL:!MD5
    SSLHonorCipherOrder on

    # HSTS (HTTP Strict Transport Security)
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

    # X-Content-Type-Options to prevent MIME-type sniffing
    Header always set X-Content-Type-Options "nosniff"

    # X-Frame-Options to prevent clickjacking
    Header always set X-Frame-Options "DENY"

    # X-XSS-Protection to enable XSS filtering
    Header always set X-XSS-Protection "1; mode=block"

    # Content Security Policy (CSP)
    Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; object-src 'none'"

    # Additional configurations (example)
    DocumentRoot "/var/www/example.com"
    <Directory "/var/www/example.com">
        AllowOverride None
        Require all granted
    </Directory>
</VirtualHost>

Explanation of Security Layers

1. SSL/TLS Settings: Configures secure connections with strong protocols and ciphers.
2. HSTS: Enforces HTTPS connections, preventing downgrades to HTTP.
3. X-Content-Type-Options: Prevents MIME-type sniffing, reducing XSS risks.
4. X-Frame-Options: Protects against clickjacking by disallowing the site in frames.
5. X-XSS-Protection: Enables XSS filtering to block scripts in browsers.
6. Content Security Policy (CSP): Limits resource loading sources, reducing XSS risks.

After adding these configurations, restart your web server to apply changes:

• NGINX: sudo systemctl restart nginx
• Apache: sudo systemctl restart apache2

These configurations collectively enhance security by addressing common attack vectors, helping to protect both your server and visitors.