On my first security scan, this was the missing thing in my infrastructure. I missed so many headers, which can make the application more secure.
- HTTP Strict Transport Security (HSTS)
- Public Key Pinning Extension for HTTP (HPKP)
My snippet for Nginx
According to MDN, Subresource Integrity (SRI) is a security feature that enables browsers to verify that resources they fetch (for example, from a CDN) are delivered without unexpected manipulation. It works by allowing you to provide a cryptographic hash that a fetched resource must match.
In your web application in your bundler, implement subresource integrity. For webpack, there is a plugin https://www.npmjs.com/package/webpack-subresource-integrity, which adds the subresource integrity automatically.
The web server supports encryption through TLS 1.0. TLS 1.0 is not considered to be “strong cryptography” as defined and required by the PCI Data Security Standard.
When aiming for Payment Card Industry (PCI) Data Security Standard (DSS) compliance, it is recommended (although at the time or writing not required) to use TLS 1.2 or higher instead. If you disable this older browser may not support your site.
Docker containers run with root privileges by default. Which this you can install the packages for your container by apt, pkg, or some other package manager. Ask your developer in my case; it is me. add this line in the end of Dockerfile
When you create any container with the environment contains some sensitive information like database connection URLs, passwords, usernames, etc. make sure it in secret.
In your docker registry, implement the vulnerability scanner, which can scan your docker container periodically with identified vulnerabilities. I prefer to practice https://github.com/quay/quay for the registry, which can scan container images using Clair.
Runtime security and auditing are important in case somebody breaks into the infrastructure. I practice https://falco.org/. Falco parses Linux system calls from the kernel at runtime and asserts the stream against a powerful rules engine. If a rule is violated, a Falco alert is triggered. Read more at https://falco.org/docs/.
I practice https://prometheus.io/ for our infrastructure, which logs and aggregate all the data from your all cluster. Monitor all the spikes and let you understand better about any incident.