# From F to B #### in Mozilla’s Observatory Security Report The **Trinity Technology Services** system administrators implement changes to Varnish to dramatically improve our Drupal website’s security. * Kyle Skrinak * David Palmer * Blaine Ott https://people.duke.edu/~kds38/presentations/2019-Feb-SLG.html # The Problem * ITSO sends TTS NetSparker report * We break out the Drupal Security Kit module * We create a test configuration and ask for another scan * NetSparker is now busy, ITSO recommends Observatory ## Mozilla Observatory  * https://observatory.mozilla.com ## Original website results  ## Eureka! Why have MySQL + PHP do something apache can do? Why have apache do something that varnish can do? ## Our First Attempt ``` # TTS Apache Hardening set resp.http.X-XSS-Protection = "1; mode=block"; set resp.http.Strict-Transport-Security= "max-age=31536000; includeSubDomains"; set resp.http.X-Content-Type-Options = "nosniff"; ``` # Oops  We inadvertently blocked fourth-level domains ### Info pages for HSTS configuration options * A link to Mozilla’s [HTTP Strict Transport Security](https://infosec.mozilla.org/guidelines/web_security#http-strict-transport-security "link to HSTS page") information page.  * A link to Redhat’s [HSTS configuration](https://access.redhat.com/solutions/1220063 "Redhat page on HSTS config") page.  ### Questions?