You want to protect your website against Cross Site Scripting or Phishing? Then follow these instructions and check if your website works.
1. In the hosting administration you activate HSTS  and OCSP  in the SSL settings.
2. Now create a .htaccess in your main domain directory and add the following code:
#FireStorm Security Headers <IfModule mod_headers.c> Header set X-Content-Type-Options nosniff Header set X-Frame-Options "SAMEORIGIN" Header set Referrer-Policy "no-referrer" Header set Permissions-Policy "fullscreen=(), geolocation=()" Header set X-XSS-Protection "1; mode=block" </IfModule>
If you want to block everything external except musterdomain.ch and externedomain.tld:
#FireStorm Security Headers <IfModule mod_headers.c> Header set X-Content-Type-Options nosniff Header set X-Frame-Options "SAMEORIGIN" Header set Referrer-Policy "no-referrer" Header set Permissions-Policy "fullscreen=(), geolocation=()" Header set X-XSS-Protection "1; mode=block" Header set Content-Security-Policy "default-src 'self' *.musterdomain.ch *.externedomain.tld " </IfModule>
3. Now log into Plesk. Open the Domain => Hosting Settings => Apache & NGINX Settings and add the following value under Additional Apache statements for HTTP and HTTPS:
Header always edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
4. If you check your website, you should get the highest award at the following link: https://securityheaders.com/.
5. Now check your website if everything is still working properly.
We recommend a static SSL certificate for DANE, which must be purchased on our website. The process must be repeated each time the certificate is changed!
1. Open your website. Click on the key at the top of the address bar and then on certificate information. Click on “Details => Copy to file….”. Now save the file as Base-64 encoded x.509 (.cer).
2. Now open the website https://www.huque.com/bin/gen_tlsa and fill in the form as follows:
3. Now open the DNS administration of your domain and transfer the previously generated data as in the example. Create a new entry for this purpose:
Add another entry for each system stored as MX server. For example, _25._tcp.mail.musterdomain.ch if your MX mail server is mail.musterdomain.ch. Please make sure that the mail server also responds to the same certificate.
4. Create CAA, restrict the certificate issuers.
Only allow certificate issuers that you have explicitly allowed. To do this, open the DNS Manager and add the following rule:
Example to allow Let’s Encrypt:
Example to allow Sectigo:
1. Create the following file in the FileManager with the following content (Please match musterdomain.ch with your own domain):
version: STSv1 mode: testing mx: mail.musterdomain.ch max_age: 86400
2. Now create a new DNS entry with the following value:
RDATA: v=STSv1; id=jhghsdfkjh2hjrf7u;
Replace jhghsdfkjh2hjrf7u with your own unique key. As soon as the certificate changes, you have to change the ID!
3. Now check your website at hardenize.com. The output may look like this, for example:
If the SSL for *.musterdomain.ch is changed, the TLSA entries must be adjusted and it must be ensured that all registered MX mail servers have the new SSL certificate installed. Finally, a new ID must be set in the file https://mta-sts.musterdomain.ch/.well-known/mta-sts.txt.