Editing
430.ch Reconnaissance Report
(section)
Jump to navigation
Jump to search
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
=== Medium Priority === ==== Add HSTS ==== Finding: * HTTPS works well, but HSTS is not configured. Recommended Caddy-style header: <pre> Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" </pre> Use a shorter <code>max-age</code> first if you want a low-risk rollout: <pre> Strict-Transport-Security "max-age=86400" </pre> ==== Tighten apex CORS ==== Finding: * <code>430.ch</code> reflects arbitrary origins and allows credentials. Recommended action: * If static files do not need credentialed cross-origin access, remove credentialed CORS headers. * If cross-origin reads are required, allowlist specific origins and avoid <code>Access-Control-Allow-Credentials: true</code> unless needed. ==== Review MediaWiki public exposure on <code>ov.430.ch</code> ==== Finding: * Public API exposes version, PHP version, DB version, extension version, skins, users, groups, rights changes, and logs. * UI appears to advertise account creation and probable editability. Recommended action: * Decide whether <code>ov.430.ch</code> is intentionally public. * If public, keep MediaWiki and extensions patched. * If private, restrict anonymous read, API, account creation, and editing. * Consider hiding detailed version headers where practical, recognizing that version hiding is defense-in-depth and not a substitute for patching. Potential MediaWiki settings to review: <pre> $wgGroupPermissions['*']['read'] $wgGroupPermissions['*']['edit'] $wgGroupPermissions['*']['createaccount'] $wgGroupPermissions['*']['writeapi'] $wgShowExceptionDetails </pre> ==== Add CAA records ==== Finding: * No apex CAA record observed. Recommended action: If only Let's Encrypt and ZeroSSL should issue: <pre> 430.ch. CAA 0 issue "letsencrypt.org" 430.ch. CAA 0 issue "sectigo.com" 430.ch. CAA 0 issuewild ";" </pre> Tune this based on actual CA usage. ZeroSSL chains to Sectigo in the observed certificate. ==== Add MTA-STS and TLS-RPT ==== Finding: * No MTA-STS or TLS-RPT records observed. Recommended action: Publish: <pre> _mta-sts.430.ch TXT "v=STSv1; id=YYYYMMDD01" _smtp._tls.430.ch TXT "v=TLSRPTv1; rua=mailto:tlsrpt@430.ch" </pre> Serve an HTTPS policy at: <pre> https://mta-sts.430.ch/.well-known/mta-sts.txt </pre> Example policy: <pre> version: STSv1 mode: testing mx: aspmx1.migadu.com mx: aspmx2.migadu.com max_age: 86400 </pre> Move from <code>testing</code> to <code>enforce</code> after confirming reports are clean.
Summary:
Please note that all contributions to Marcopedia may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see
Marcopedia:Copyrights
for details).
Do not submit copyrighted work without permission!
Cancel
Editing help
(opens in new window)
Navigation menu
Personal tools
Not logged in
Talk
Contributions
Create account
Log in
associated-pages
Page
Discussion
English
Views
Read
Edit
View history
More
Search
Navigation
Main page
Recent changes
Random page
Help about MediaWiki
Special pages
Tools
What links here
Related changes
Page information
Online users in chat