[tor-talk] Hardenize TorProject Website

bo0od bo0od at riseup.net
Sun May 2 16:34:51 UTC 2021


Hi There,

Checking Torproject website configs there are some stuff are outdated,or 
needed...lets see:

* https://www.hardenize.com/report/torproject.org/1619971139#www_tls

- TLS 1.0, 1.1 Deprecated since 2020
- Disable weak ciphers

Duo to the usage of TLS 1.0,1.1 website got B grade from SSLlabs:

https://www.ssllabs.com/ssltest/analyze.html?d=torproject.org

* https://www.hardenize.com/report/torproject.org/1619971139#www_hsts

- Preload policy doesn't satisfy preload requirements because:

"This HSTS policy doesn't cover subdomains, which is a requirement for 
preloading. Additionally, without full coverage, HSTS can't protect from 
certain cookie attacks that typically allow active network attackers to 
inject cookies into an application."

* https://www.hardenize.com/report/torproject.org/1619971139#www_xxssp

- Enforce XSS protection

"Name: X-Xss-Protection

Value: 1"

It should be:

"Name: X-Xss-Protection

Value: 1; mode=block"


* https://securityheaders.com/?q=torproject.org&followRedirects=on
* https://observatory.mozilla.org/analyze/torproject.org

- Content-Security-Policy: This policy contains 'unsafe-inline' which is 
dangerous in the style-src directive.

- (Experimental but maybe worth attention?) -> Permissions-Policy:

https://scotthelme.co.uk/goodbye-feature-policy-and-hello-permissions-policy/

Why experimental?

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy

ThX!


More information about the tor-talk mailing list