Recently, Mark Stanislav gave a talk on holistic authentication security for companies who have implemented two-factor authentication. He developed a scoring system, MASSACRE, which quantifies the presence of several different security features on a web site; cookie flags, response headers, etc.. This inspired me to see if I could get our Jasig CAS server with Duo 2FA to the top of the charts. As you might know, CAS runs on Apache Tomcat, which leaves a system administrator little room for configuration of these features. Enter HAProxy. Continue reading Raise your MASSACRE Score with HAProxy
Category Archives: Web Servers
HTTP Security Headers in Apache
HTTP offers several headers that can help protect website visitors. OWASP has a great description of them here. Based on that I’d like to quickly share a few configuration changes I make to Apache web servers.
Tomcat SSL Tips
With POODLE being in the news recently, I decided it would be a good idea to look at my overall SSL configuration while closing the door to this issue. What better way to do that than by arbitrarily assigning a letter grade to my servers with the Qualys SSL Labs tool.
Looking at an Apache Tomcat 8 server I started with a C letter grade. Vulnerable to POODLE and Forward Secrecy not supported. Continue reading Tomcat SSL Tips