By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Implement Security on the Web Application Without Touching the Web Application

0

Hi there, Is there any services or Web application firewall that can improve the security of the application without touch the web app itself. So far I only know Cloudfront is able to generate a custom error response.

  1. I want to hide the following type of error message: 500 – Internal Server Error HTTP 403.14 - Forbidden HTTP 403.14 - Forbidden

  2. I want to change the cookie setting of the application: requireSSL="true" sameSite="Lax" -> Not Set in ASPSessionID

  3. Misconfigured security headers: Cache-control: no-cache, no-store, must-revalidate. X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

  4. Usage of Weak Cipher Suites: For example, any Cipher suites, we would like to upgrade all cipher suites are modern compatibility on the application: https://wiki.mozilla.org/Security/Server_Side_TLS

  5. Hiding of Server banner: Server: Microsoft-IIS/8.0 X-Powered-By: ASP-NET

3 Answers
3

AWS WAF is a great service to stop attack traffic from reaching your application in the first place.

The Network Firewall also allows you to apply traffic controls to your application server(s) network traffic.

answered 3 years ago
0

You can use

I would say that it's better to use HeaderResponsePolicy to edit headers because it's free and you don't need to write and maintain any code, but for other things like cookies, you need to apply CF Functions.

profile picture
answered 3 years ago
0

In some web apps, not only the simplest one but even more completed (what can be treated as basic/last or first line of defense-protection in case of other protection failure or even useful for detecting potential slow security pen tests made by bad people before main 'ATTACK") is to change standard ports of services that you use and after ensuring that things like firewall or monitoring service don't generate any warnings , by changing standard ports first of all you will reduce server scans passed by security software and also reduce critical situations probability. In single server app when for example SQL (MySQL) is used, many of standard Linux installations leave database ports opened for world while your app use db locally, on small servers in most situations changing SSH port (no matter that keys and passwords are used) dramatically reduces CPU load and if any firewall or banning system is used it can reduce memory usage dramatically. Even is you use sophisticated protection on the route to your app any basic additional protections will provide extra layer of security (basic, simple but light and giving extra time before bad things happen). Depending on web apps you need consider what do do with services ports that requires incoming connections. In this example lets assume simple WordPress installation with high user traffic. Changing SSH, FTP (if apply), SQL (closing from world or changing ports)l if proxy like ngnix is used its ports also can be changed to non standard, access VPN ports and in my experience making fast check of own server and providing little changes always help but requires more frequent monitoring. Of course it can't make collision with other software.

Another aproach is to protect web app without touching it, I am not specialist but enabling and reading server logs clarifies many questions and help in security.

Please treat my advise as super basic.

answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions