Privacytools.io: 🌐 Website Issue | improving the reachability and security of the site.

Created on 18 Aug 2019 · 12Comments · Source: privacytools/privacytools.io

When testing privacytools.io on internet.nl, i got a few interesting results:
OUR https is very good, but we lack a few other things like securely configured X-XSS-Protection.
it also seems like we are unable to be reached over IPV6.

We can view the test results here: https://internet.nl/site/privacytools.io/581987/

I hope we can use these results to make som improvements to the site.

🌐 website issue

Source

blacklight447-ptio

👍3

Most helpful comment

I think our CSP is acceptable now?

I'm working on IPv6 support, our DNS nameservers support IPv6 and so does https://ipv6.privacytools.io (for testing) — Probably this week I'll be able to have all our services & the www homepage on IPv4/6 dual-stack 🎉

jonaharagon on 1 Dec 2019

🎉2

All 12 comments

XSS protection is useless on a read-only website

Welteam on 19 Aug 2019

While I agree, we don't know if ptio would ever for example have comments or anything else that's not read only. Having it harms nothing.

blacklight447-ptio on 19 Aug 2019

A CSP (Content Security Policy) is missing too:
https://webbkoll.dataskydd.net/en/results?url=http%3A%2F%2Fwww.privacytools.io | https://observatory.mozilla.org/analyze/privacytools.io

But yes, good security: https://www.ssllabs.com/ssltest/analyze.html?d=www.privacytools.io
and clean result: https://www.virustotal.com/gui/url/287cdd6e652d7c8d3359d9cee8a6082aa170487cbdc65cacf166f08e669ba46a/detection
and also good GDPR result: https://2gdpr.com/185181532

beerisgood on 19 Aug 2019

From what I know, we have a partial CSP, @jonah?

blacklight447-ptio on 19 Aug 2019

This is your current CSP:

default-src 'none'; script-src 'self' 'unsafe-inline' https://stats.privacytools.io; style-src 'self' 'unsafe-inline'; img-src 'self' data: https://*.privacytools.io; object-src 'none'; frame-src https://stats.privacytools.io; font-src 'self'; manifest-src 'self';

One thing that really sticks out to me is the script-src 'unsafe-inline' allowance. This should be removed, which will require moving any inline javascript into .js files which are loaded by the html. I just completed this for my company's website, it's not too bad of a task.

Perelandra0x309 on 19 Aug 2019

From what I know, we have a partial CSP, @jonah?

Correct, we have the strongest CSP the current website code would allow at the time. As @Perelandra0x309 mentioned the main thing we would need to do is move inline Javascript to a separate file. The CSP can then be changed, and it can be modified in this very repo at https://github.com/privacytoolsIO/privacytools.io/blob/master/nginx/010-headers.conf if anyone is interested in making a PR.

A CSP (Content Security Policy) is missing too:

we lack a few other things like securely configured X-XSS-Protection

FYI, we do have XSS Protection enabled, and we do have a CSP, although it isn't perfect. All the headers on the website can be seen at https://github.com/privacytoolsIO/privacytools.io/blob/master/nginx/010-headers.conf

jonaharagon on 19 Aug 2019

@jonah since pull request 1213 got merged,we probably don't have any inline java-script left, so now maybe we can update the csp?

blacklight447-ptio on 26 Aug 2019

👍1

Previously I managed to have the version details for NGINX removed. Since revealing such information makes it easier to exploit the server software.

WorldWideWebWizard on 29 Aug 2019

I found a few issues I'll list them here.

Origin script-src 'unsafe-inline' allows bypassing of CSP and execution of inlined untrusted scripts.
Origin style-src 'unsafe-inline' allows bypassing of CSP and execution of inlined untrusted scripts
The img-src data: origin allows bypassing CSP and execution of inlined untrusted scripts

WorldWideWebWizard on 29 Aug 2019

I think our CSP is acceptable now?

jonaharagon on 1 Dec 2019

🎉2

Did the other issues push back our IPv6 support? :(