This is the third article in the series of hardening this webserver. If you have not read them, please read: Protecting my Webserver and SSL Cypher hardening. In this article, I show the usage of the Content-Security-Policy header. This header helps you reduce XSS risks on modern browsers by declaring what dynamic resources are allowed to load via an HTTP Header.
Why use the CSP header Ok, we have this header but what will it do for my site.
I the previous post I described simple actions that you can take to harden your web server. It showed you headers that you can alter without too much interference on the functioning.
In this post, I go into more details on the TLS connection itself. The modern browser does quite a lot when a TSL connection is established. There are multiple versions available to initiate a TLS/SSL connection. Not all of the supported versions are secure.
Just recently I finished an article for the Dutch Java magazine about securing your website by means of https connections. In the article, we (Ivo Woltring and I) describe details on how to get a certificate for your Webserver from the LetsEncrypt CA.
The end result of those steps is a site that only allows for https connections. This solved the problem of others listening in on your visitors. Hacking your site is definitely more difficult, but not all possibilities are resolved.