Login ProductsSalesSupportDownloadsAbout |
Home » Technical Support » Elevate Web Builder Technical Support » Support Forums » Elevate Web Builder Web Server and Modules » View Thread |
Messages 1 to 3 of 3 total |
Webserver for EWB 3.0 |
Wed, Sep 5 2018 10:18 AM | Permanent Link |
Ronald | Hi,
Here in the Netherlands we have a platform where one can test a domain for security. I tested my domain with the EWB server. It scored high, but there were two problems: 1. The EWB server does not have a HSTS-policy. This is a header that the server must send in the serverresponse in order to force the client to use https and not http. 2. The server allows client-initiated renegotiation. I read that this was not a security issue, but that it made the server vulnerable for DDOS attacks. Does EWB3 server handle this? Maybe it can be made possible to add standard headers to every response. Greetings, Ronald |
Thu, Sep 6 2018 3:57 AM | Permanent Link |
Ronald | Ronald wrote:
< Does EWB3 server handle this? Maybe it can be made possible to add standard headers to every response. > I must admit that I have Stunnel fro https running on my server. |
Wed, Sep 12 2018 11:40 AM | Permanent Link |
Tim Young [Elevate Software] Elevate Software, Inc. timyoung@elevatesoft.com | Ronald,
<< 1. The EWB server does not have a HSTS-policy. This is a header that the server must send in the serverresponse in order to force the client to use https and not http. >> There isn't an option in the EWB 3 Web Server for HSTS, but I can certainly add one. << 2. The server allows client-initiated renegotiation. I read that this was not a security issue, but that it made the server vulnerable for DDOS attacks. >> This is handled by Stunnel, so doesn't really apply to EWB directly. For Stunnel, here are the most recent settings that we're using that get an "A" grade in SSL/TLS test suites like Qualys: https://www.ssllabs.com/ssltest/ STunnel Config: options = NO_SSLv2 options = NO_SSLv3 options = NO_TLSv1 ciphers = HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4 renegotiation = no Tim Young Elevate Software www.elevatesoft.com |
This web page was last updated on Wednesday, August 14, 2024 at 02:26 AM | Privacy PolicySite Map © 2024 Elevate Software, Inc. All Rights Reserved Questions or comments ? E-mail us at info@elevatesoft.com |