1. https://greenbone.github.io/docs/latest/22.4/container/index.html
2, Nessus essentials: https://medium.com/@harrmahar/installing-tenable-nessus-essentials-free-in-30-minutes-using-docker-aa668a1620a0
testing against an vulnerable app: https://www.vulnhub.com/entry/damn-vulnerable-web-application-dvwa-107,43/
DevSevOps guidelines: https://owasp.org/www-project-devsecops-guideline/latest/
settings in git:
system specific configs are not very often in use. Those are useful if some binary that git is dependent is missing.
Global config is for most of your preferences
local config - for one-off special case changes.
Reading: git config --global user.name
Setting: git config --global user.name "User Name"
settings written to ~/.gitconfig
List all configs: git config --list
verbose: git config --list --show-origin
more verbose: git config --list --show-origin --show-scope
Unset: git config --local --unset user.name
.gitattributes
*.js text
*.ps1 eol=crlf
*.sh eol=lf
Filters in fit allow you to securely store secret data in git when pushing and restore it when data is pulled.
HTTP Strict Transport Security (HSTS) - web browsers are instructed to exclusively connect to a website over HTTPS - prevent from ManInTheMiddle
Syntax of HSTS:
To implement HSTS, the header is added to the website's HTTP response, specifying the maximum age, includeSubDomains directive, and preload directive, if applicable. The syntax typically follows this structure:
Strict-Transport-Security: max-age=<expire-time>; includeSubDomains; preload
max-age: Defines the duration for which the browser should cache the HSTS policy.
includeSubDomains: Optional directive that extends HSTS protection to all subdomains of the main domain.
preload: Optional directive that allows websites to be included in the HSTS preload list maintained by browsers for added security.
Example terraform code:
The Content Security Policy (CSP) - Content Security Policy header is by far the most powerful security header, offering unmatched protection against a several security threats.
Protects from cross side scripting.
Here is an example of the syntax for setting up the most basic and minimal CSP header:
Content-Security-Policy: default-src 'self';This example sets a basic content security policy that allows only resources from the same origin ('self') to be loaded by default. Generally people do not implement it this way, usually they include multiple resources.
Additional directives can be included to define specific settings for different resource types, such as scripts, stylesheets, images, fonts, and media. Here is an example with multiple directives:
Content-Security-Policy: default-src 'self'; script-src 'self' https://example.com; style-src 'self' https://cdn.example.com;
In this example:
default-src 'self'; sets the default policy to allow resources from the same origin.script-src 'self' https://example.com; allows scripts to be loaded from the same origin and from the 'https://example.com' domain.style-src 'self' https://cdn.example.com; permits stylesheets from the same origin and from the 'https://cdn.example.com' domain.