Configuration des headers http.

Config http headers

Securisation / Configuration des headers http

-> Securiser le serveur et les clients contre diverses attaques.

-> Ces directives sont pour Apache. Pour nginx, remplacer ‘Header set’ par ‘add_header’.


# Content Security Policy (CSP)
Header set Content-Security-Policy "base-uri 'self'; default-src 'self'; script-src 'self'; style-src 'self'; object-src 'self'; frame-ancestors 'none';"

# HTTP Strict Transport Security (HSTS)
Header always set Strict-Transport-Security "max-age=16070400; includeSubDomains"

# Reducing MIME type security risks
Header set X-Content-Type-Options "nosniff"

# Reflected Cross-Site Scripting (XSS) attacks
Header set X-XSS-Protection "1; mode=block"

# Clickjacking
Header set X-Frame-Options "DENY"

# Server software information
ServerSignature Off
Header unset X-Powered-By

# Weak SSL protocols
SSLProtocol  all -SSLv2 -SSLv3 -TLSv1

# HPKP
Header always set Public-Key-Pins "pin-sha256=\"AAAAAAAAAAAAAAAAAA=\"; pin-sha256=\"AAAAAAAAAAAAAAAAAA =\"; max-age=16070400; includeSubDomains"

# TRACK / TRACE
TraceEnable Off

# Arbitrary HTTP methods
RewriteEngine On
RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD)
RewriteRule .* - [R=405,L]

Obtenir clĂ© publique Let’s Encrypt + Plesk

Obtenir clĂ© publique Plesk + Let’s Encrypt


# Localisation des cles :
/usr/local/psa/var/modules/letsencrypt/etc/archive/juju-dev.fr

# Extraire cle publique + convertir en base64
# clé :
openssl rsa -in fullchain1.pem -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64
# OU certificat :
openssl req -in my-signing-request.csr -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
# OU CSR :
openssl x509 -in my-certificate.crt -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64

# Voila une premiere cle a ajouter au header http :)
# Pour ajouter des backups pins il suffit d'ajouter d'autres certificats, et faire pareil ;)
# !! Bien faire attention aux quotes de la commande !!

Annexe : générer une clé auto-signée


# Generer une cle self signed
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
# -> Ajouter '-nodes' pour ne pas utiliser la protection passphrase