secure_headers - Manages application of security headers with many safe defaults

  •        8

master represents 6.x line. See the upgrading to 4.x doc, upgrading to 5.x doc, or upgrading to 6.x doc for instructions on how to upgrade. Bug fixes should go in the 5.x branch for now. The 3.x branch is moving into maintenance mode. See the upgrading to 3.x doc for instructions on how to upgrade including the differences and benefits of using the 3.x branch.

https://github.com/twitter/secure_headers

Tags
Implementation
License
Platform

   




Related Projects

secureheaders - Manages application of security headers with many safe defaults

  •    Ruby

master represents the unreleased 4.x line. See the upgrading to 4.x doc for instructions on how to upgrade. Bug fixes should go in the 3.x branch for now.The 3.x branch is moving into maintenance mode. See the upgrading to 3.x doc for instructions on how to upgrade including the differences and benefits of using the 3.x branch.

csp-builder - Build Content-Security-Policy headers from a JSON file (or build them programmatically)

  •    PHP

Easily integrate Content-Security-Policy headers into your web application, either from a JSON configuration file, or programatically. CSP Builder was created by Paragon Initiative Enterprises as part of our effort to encourage better application security practices.

rack-ssl-enforcer - A simple Rack middleware to enforce ssl connections

  •    Ruby

Rack::SslEnforcer is a simple Rack middleware to enforce SSL connections. As of Version 0.2.0, Rack::SslEnforcer marks Cookies as secure by default (HSTS must be set manually). Tested against Ruby 1.8.7, 1.9.2, 1.9.3, 2.0.0, 2.1.10, 2.2.7, 2.3.4, 2.4.1, ruby-head, REE and the latest versions of Rubinius & JRuby.

secure - HTTP middleware for Go that facilitates some quick security wins.

  •    Go

Secure is an HTTP middleware for Go that facilitates some quick security wins. It's a standard net/http Handler, and can be used with many frameworks or directly with Go's net/http package.Be sure to include the Secure middleware as close to the top (beginning) as possible (but after logging and recovery). It's best to do the allowed hosts and SSL check before anything else.


airship - Secure Content Management for the Modern Web - "The sky is only the beginning"

  •    PHP

The sky is only the beginning. CMS Airship is a secure-by-default content management system, blog engine, and application development framework written for PHP 7.2 and above.

trireme-lib - Simple, scalable and secure application segmentation

  •    Go

Welcome to Trireme, an open-source library curated by Aporeto to provide cryptographic isolation for cloud-native applications. Trireme-lib is a Zero-Trust networking library that makes it possible to setup security policies and segment applications by enforcing end-to-end authentication and authorization without the need for complex control planes or IP/port-centric ACLs and east-west firewalls. Trireme-lib supports both containers and Linux processes as well user-based activation, and it allows security policy enforcement between any of these entities.

Themis - Crypto library for storage and messaging for ObjC, Android, C++, JS, Python, Ruby and PHP

  •    C

Themis is open-source high-level cryptographic services library for mobile and server platforms, providing secure messaging and secure data storage. Themis provides three important cryptographic services Secure messaging, Secure session and Secure storage.

sitecheck

  •    Python

Modular web site spider for web developers.

nginxconfig.io - ⚙️ NGiИX config generator on steroids 💉

  •    HTML

NGINX is so much more than just a webserver. You already knew that, probably. A lot of features with corresponding configuration directives. You can deep dive into the NGINX documentation right now OR you can use this tool to check how NGINX works, observe how your inputs are affecting the output, generate the best config for your specific use-case (and in parallel you can still use the docs).

session - Simple session middleware for koa

  •    Javascript

Simple session middleware for Koa. Defaults to cookie-based sessions and supports external stores. The cookie name is controlled by the key option, which defaults to "koa:sess". All other options are passed to ctx.cookies.get() and ctx.cookies.set() allowing you to control security, domain, path, and signing among other settings.

zxcvbn - Low-Budget Password Strength Estimation

  •    CoffeeScript

zxcvbn is a password strength estimator inspired by password crackers. Through pattern matching and conservative estimation, it recognizes and weighs 30k common passwords, common names and surnames according to US census data, popular English words from Wikipedia and US television and movies, and other common patterns like dates, repeats (aaa), sequences (abcd), keyboard patterns (qwertyuiop), and l33t speak.Consider using zxcvbn as an algorithmic alternative to password composition policy — it is more secure, flexible, and usable when sites require a minimal complexity score in place of annoying rules like "passwords must contain three of {lower, upper, numbers, symbols}".

scap-security-guide - Baseline compliance content in SCAP formats

  •    Python

The purpose of this project is to create security policy content for various platforms -- Red Hat Enterprise Linux, Fedora, Ubuntu, Debian, and others. Our aim is to make it as easy as possible to write new and maintain existing security content in all the commonly used formats. "SCAP content" refers to documents in the XCCDF, OVAL and Source DataStream formats. These documents can be presented in different forms and by different organizations to meet their security automation and technical implementation needs. For general use we recommend Source DataStreams because they contain all the data you need to evaluate and put machines into compliance. The datastreams are part of our release ZIP archives.

secure-password - Making Password storage safer for all

  •    Javascript

They're both constrained by the constants SecurePassword.MEMLIMIT_MIN - SecurePassword.MEMLIMIT_MAX and SecurePassword.OPSLIMIT_MIN - SecurePassword.OPSLIMIT_MAX. If not provided they will be given the default values SecurePassword.MEMLIMIT_DEFAULT and SecurePassword.OPSLIMIT_DEFAULT which should be fast enough for a general purpose web server without your users noticing too much of a load time. However your should set these as high as possible to make any kind of cracking as costly as possible. A load time of 1s seems reasonable for login, so test various settings in your production environment. The settings can be easily increased at a later time as hardware most likely improves (Moore's law) and adversaries therefore get more powerful. If a hash is attempted verified with weaker parameters than your current settings, you get a special return code signalling that you need to rehash the plaintext password according to the updated policy. In contrast to other modules, this module will not increase these settings automatically as this can have ill effects on services that are not carefully monitored.

Peergos - A decentralised, secure file storage and social network

  •    Java

Peergos is a peer-to-peer encrypted filesystem with secure sharing of files designed to be resistant to surveillance of data content or friendship graphs. It will have a secure email replacement, with some interoperability with email. There will also be a totally private and secure social network, where users are in control of who sees what (executed cryptographically). The name Peergos comes from the Greek word Πύργος (Pyrgos), which means stronghold or tower, but phonetically spelt with the nice connection to being peer-to-peer. Pronuniation: peer-goss (as in gossip).

light-4j - A fast, lightweight and more productive microservices framework

  •    Java

Light 4j is a fast, lightweight and cloud native microservices framework. Light means lightweight, lighting fast and shed light on how to program with modern Java SE. It is 44 times faster than the most popular microservices platform Spring Boot embedded Tomcat and use only 1/5 of memory.

quick-secure - Quickly secure UNIX/Linux systems

  •    Shell

Quick NIX Secure Script is used to harden and secure basic permissions and ownership on the fly. This script can be used during boot up, cron, bootstrapping, kickstart, jumpstart and during other system deployments. I recommend using CM tools like Puppet or Ansible, but this is still nice. Many times in (prod)uction world prior admins harden without automation or towards an industry baseline. This is to help get to a point of standardization and quickly set or reset basic system security.

Docker-Secure-Deployment-Guidelines - Deployment checklist for securely deploying Docker

  •    

Within today’s growing cloud-based IT market, there is a strong demand for virtualisation technologies. Unfortunately most virtualisation solutions are not flexible enough to meet developer requirements and the overhead implied by the use of full virtualisation solutions becomes a burden on the scalability of the infrastructure. Docker reduces that overhead by allowing developers and system administrators to seamlessly deploy containers for applications and services required for business operations. However, because Docker leverages the same kernel as the host system to reduce the need for resources, containers can be exposed to significant security risks if not adequately configured. The following itemised list suggests hardening actions that can be undertaken to improve the security posture of the containers within their respective environment. It should be noted that proposed solutions only apply to deployment of Linux Docker containers on Linux-based hosts, using the most recent release of Docker at the time of this writing (1.4.0, commit 4595d4f, dating 11/12/14). Part of the content below is based on publications from Jérôme Petazzoni [1] and Daniel J Walsh [2]. This document aims at adding on to their recommendations and how they can specifically be implemented within Docker. Note: Most of suggested command line options can be stored and used in a similar manner inside a Dockerfile for automated image building. Docker 1.3 now supports cryptographic signatures [3] to ascertain the origin and integrity of official repository images. This feature is however still a work in progress as Docker will issue a warning but not prevent the image from actually running. Furthermore, it does not apply to non-official images. In general, ensure that images are only retrieved from trusted repositories and that the --insecure-registry=[] command line option is never used.

django-cors-headers - Django app for handling the server headers required for Cross-Origin Resource Sharing (CORS)

  •    Python

A Django App that adds CORS (Cross-Origin Resource Sharing) headers to responses. CorsMiddleware should be placed as high as possible, especially before any middleware that can generate responses such as Django's CommonMiddleware or Whitenoise's WhiteNoiseMiddleware. If it is not before, it will not be able to add the CORS headers to these responses.

php-restclient - A generic REST API client for PHP

  •    PHP

headers - An associative array of HTTP headers and values to be included in every request. parameters - An associative array of URL or body parameters to be included in every request. curl_options - cURL options to apply to every request; anything defined here: https://secure.php.net/manual/en/function.curl-setopt.php. These will override any automatically generated values. build_indexed_queries (bool) - http_build_query automatically adds an array index to repeated parameters which is not desirable on most systems. Use this option to enable the default behavior. Defaults to FALSE. user_agent - User agent string to use in requests. base_url - URL to use for the base of each request. format - Format string is appended to resource on request (extension), and used to determine which decoder to use on response; a request URL like "api.twitter.com/1.1/statuses/user_timeline.json" would be expected to return well-formed JSON. format_regex - Pattern to extract format from response Content-Type header, used to determine which decoder to use on response. decoders - Associative array of format decoders. See "Direct Iteration and Response Decoding". username - Username to use for HTTP basic authentication. Requires password. password - Password to use for HTTP basic authentication. Requires username. url (string) - URL of the resource you are requesting. Will be prepended with the value of the base_url option, if it has been configured. Will be appended with the value of the format option, if it has been configured.