The go-to place for every business today is the website. A lot of information is exchanged and the availability and integrity of data on the webserver becomes important for a business with a professional image.
We help our clients creating and running secure webservers. Our main focus is on the availability and security. For that we offer many features which can be found below. We also help with existing setups and the need of upgrading the security to the latest standards.
Existing setups can often easily be expanded by reverse proxies, such as a reverse http or smtp proxy. These server masquerade the traffic of the original source and transparently work with all devices in the network.
Ensuring that a trusted HTTPS connection can be established, Webtrend uses certificates from official certificate authorities such as Let's Encrypt. Also we issue and use not traditional certificates with RSA but ECDSA which has a much lower keysize (384bit vs 2048/4096bit) and is supposed to offer better security, especially for the future as keysize scaling in RSA is not great. Because of the lower key size, certificates created with ECDSA are more performant.
Without any changes to web applications required, HTTP/2 helps increasing the performance of the web server by a significant amount compared to HTTP/1.1. It does that by changing the way the data is framed and transported between the client and server. This saves data and allows for better perofrmance.
Security headers are a subset of HTTP headers and allow the web application and server to mitigate against many common attacks, such as cross-site-scripting (XSS) and cickjacking. The configuration and usage of these headers are depended on the web application and scope. Depending on how the application is setup and programmed, some security headers may need extensive testing and the application change some behaviour.
We support following headers: Permissions-Policy X-Content-Type-Options Referrer-Policy Strict-Transport-Security X-Frame-Options Content-Security-Policy and also the upcomming security headers: Cross-Origin Resource Sharing and Expect-CT
Allows to prevent common man-in-the-middle attacks by enforcing a HTTPS connectin which cannot be downgraded. HSTS is enabled by sending relevant information to Google which will hardcode the domain into the browser, making it impossible to use conventional HTTP. The server should only use this if there will be no project running on HTTP (this can be bypassed with reverse HTTP proxies).
Perfect forward secrecy is a cryptographic method that ensures the security of data transactions between a client and a server, guarantueing that the session keys are not compromised, revealing past communications, even if the private keys to a particular exchange was compromised by an attacker. his is achieved by generating new (ephemeral) session keys for every transaction.
Most web servers are configured by default to allow a quick and easy deployment but offer a basic security. We focus on using the best practices for apache2, nginx and IIS to enhance and harden the security of the web server.
We also configure webservers, so they will negotiate with the client with only secure cipher suites and normally prevent the client of deciding the selected cipher.
A middleman between the web server and client is often called a reverse http proxy. A reverse proxy offers great flexibility, make scaling easy and gives a lot of security features. In practice, it allows one "point of entry" for multiple webservice you host, hides the web server from the Internet (client is only communicating to the reverse proxy), helps with (D)DoS attacks and offloads resources from the web server to the reverse proxy.
For new setups we always recommend to have a reverse proxy running as the benefits outweigh any cost. We also support redunancy / failover solutions to balance load on multiple reverse proxies, do A/B testing for web applications and lower the risk of your website going offline
Available security reports for our infrastructure can be found here:
If you are interested in working with us together, send us an email to:
contact@webtrend.ch
We love to hear about your project.