CDN security
28 Jan 2019

Securing Your Origin Server

Securing your origin server in today’s digitally-driven online world is vital. With cybersecurity threats growing in both number and sophistication, attackers can compromise an unprotected server in minutes leaving you and your visitors at risk. In an ever-evolving threat landscape, it is crucial that you take proactive steps to ensure your site is safe. Securing your origin server from possible compromise requires you to perform several administrative functions that protect your website, server, and data.

Content Delivery Networks (CDNs) improve the performance and security of your website. Remote caching of your most frequently used content enhances the experience of your site visitors. As the content on a user’s browser loads from a CDN server located as close as possible, it improves their page load times significantly. CDNs also provide your site with some security. They are an effective mechanism to ensure your site remains available when you experience high traffic volumes. By having your content accessible on multiple CDN servers, your static content is effectively load-balanced relieving some of the strain on your web server. However, a CDN is not a security measure. It may help fend off a high-volume attack, but if your origin server is vulnerable, you run the risk of hackers compromising your site. Securing your origin server is, therefore, a vital component in ensuring your architecture is secure.

HTTP Security Headers

Configuring HTTP Security Headers provides your website with an essential layer of security that acts as the first line of defense against a potential compromise. As they instruct a user’s browser on how to behave when they access content on your web server, they form an effective barrier that protects your site and visitors. HTTP headers can contain a variety of server instructions including metadata, error codes, and caching rules. There are however some security-specific headers you can configure to strengthen your site. Every HTTP security header has a particular purpose and setting these can help you in securing your origin server. For example, the X-XSS-Protection header helps defend against Cross Site Scripting (XSS) attacks, and the Content Security Policy (CSP) header gives you the ability to whitelist content sources. There is also the X-Frame-Option header that prevents clickjacking attacks, and the HTTP Strict Transport Security (HSTS) setting ensures the user’s browser encrypts everything emanating from your site and server. Other headers include HTTP Public Key Pinning (HPKP) that helps a visitor’s browser validate the site’s HTTPS certificate. This setting is particularly useful in identifying forged certificates when a Certificate Authority is compromised. There are also several other standard HTTP headers you can configure to strengthen security. Setting the Set-Cookie header is another method you can use to ensure all your content gets served over HTTPS.

Hardening Apache

The Apache web server remains the market leader in most website metrics with it currently hosting 33.04% of the top million sites. Apache being such a popular web server makes it a prime target for hackers. Unfortunately, the default installation of Apache is not as secure as it can be. You need to perform some administration that can help you in securing your origin server. Apache’s default configuration publishes the version and the operating system. As hackers often leverage known vulnerabilities in particular software versions, it is a good security practice to obfuscate the version number of any public facing software interface. Removing the web server banner on Apache is a necessary task in securing your origin server. Another security vulnerability that exists in Apache’s default installation is the ability to execute a directory browser listing. This feature gives potential attackers the ability to enumerate every file and folder running on your web server. As attackers can leverage this information, it is crucial that you disable directory browser listing. The Etag header, like the server version banner, can also provide would-be attackers with sensitive information like the inode number and child processes. Performing the necessary administration to disable this Apache functionality is another task that can help you in securing your origin server. In addition to these Apache configuration settings, you can harden Apache even further by performing a few other administrative tasks. These include ensuring Apache is not running on a privileged account and limiting the number of HTTP request methods your origin server allows.

Hardening Nginx

Nginx is the fastest growing web server and currently has 33.3% of the web server market share. Like Apache, the default instance of Nginx needs to be tweaked to ensure it protects your site and provides the appropriate security for your origin server. Disabling the setting that publishes server version and deactivating any unneeded HTTP methods are two tasks that will improve security. Nginx also supports a variety of HTTP security headers and configuring these can further enhance the security of your site and help you in securing your origin server.

Hardening IIS

Microsoft’s Internet Information Services (IIS) web server holds the highest market share when it comes to sites running on the Internet. Like Apache and Nginx, there are several settings you can configure on IIS to help in securing your origin server. Disabling directory browsing, avoiding wildcard host headers, and using a unique application pool per site are some of the basic settings that strengthen IIS security. You can also enable request filtering and configure settings such as maximum allowed content and query string length. Other request filters you can set include rejecting non-ASCII characters in URLs and disabling HTTP trace request. IIS also supports some HTTP security headers which you can set to enhance the security of your site and your origin server.

Securing Your Origin Server Requires a Layered Approach

Securing your origin server is vital in today’s ever-evolving threat landscape.  With cyberattacks growing in both number and sophistication, taking proactive steps to ensure your site is safe is a necessary administrative function. CDNs help improve the performance and security of your website. However, a CDN alone cannot guarantee the protection of your site and origin server. You need to configure the relevant HTTP security headers as well as perform a variety of other server hardening tasks on Apache, Nginx, or IIS. By attending to these relevant configurations, you can secure your origin server and protect your site and visitors from a possible breach or compromise.