After migrating my site to another cloud, I ran a few tests (again) and the results… are bad !

A few highlights of what I have found, including domain, server and software vulnerabilities.

https://pentest-tools.com/website-vulnerability-scanning/website-scanner#

Overall risk level: High

Risk LevelCVSSCVESummaryExploitAffected software
7.5CVE-2020-11984Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCEN/Ahttp_server 2.4.38
7.5CVE-2021-26691In Apache HTTP Server versions 2.4.0 to 2.4.46 a specially crafted SessionHeader sent by an origin server could cause a heap overflowN/Ahttp_server 2.4.38
7.2CVE-2019-0211In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard. Non-Unix systems are not affected.N/Ahttp_server 2.4.38
6.8CVE-2020-35452Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Digest nonce can cause a stack overflow in mod_auth_digest. There is no report of this overflow being exploitable, nor the Apache HTTP Server team could create one, though some particular compiler and/or compilation option might make it possible, with limited consequences anyway due to the size (a single byte) and the value (zero byte) of the overflowN/Ahttp_server 2.4.38
6.4CVE-2019-10082In Apache HTTP Server 2.4.18-2.4.39, using fuzzed network input, the http/2 session handling could be made to read memory after being freed, during connection shutdown.N/Ahttp_server 2.4.38

Fix: Update Apache Server to a higher version

Directory listing is enabled

Fix: add the next lines of code to the apache config files. In this case in the “/etc/apache2/sites-available/default-ssl.conf” folder

<Directory /{YOUR DIRECTORY}>
   Options FollowSymLinks
</Directory>

Hide server information

Show the minimum details about the server and technologies used in the website

Apache server settings: Server HTTP Header as Prod
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Server

Security-headers-x-frame-options

“Missing security header for ClickJacking Protection. Alternatively, you can use Content-Security-Policy: frame-ancestors ‘none’.

Control of the headers for each page is necessary to prevent unwanted scripts.

The domain lacks a DMARC policy.

To avoid fake emails senders

fix: DMARC generator

or Google Workspace