Operational Web Security Plan
Implementation Guidance for Teams
Scan Date: January 13, 2026 | Tool: Nikto 2.1.5
Team Summary
Nikto scan identified 3 web server configuration issues. Document contains step-by-step remediation instructions with configuration examples and checklists.
Responsibility Matrix:
| Issue | Responsible Team | Timeline | Priority |
|---|---|---|---|
| X-Frame-Options Header | DevOps / Sys Admin | Day 1-2 | HIGH |
| SSL Certificate | DevOps / Infrastructure | Day 3-5 | HIGH |
| Additional Headers | DevOps / Security | Day 5-7 | MEDIUM |
Phase 1: Emergency Fixes (Days 1-7)
⚠️ CRITICAL: All Phase 1 tasks must be completed within 7 days. Delayed implementation increases operational risk.
Task 1: Configure X-Frame-Options Header
Priority: HIGH | Timeline: Day 1-2 | Owner: DevOps Lead
Description:
Add X-Frame-Options header to web server configuration to protect against clickjacking attacks.
Nginx/LiteSpeed Solution:
server {
# Add to server configuration
add_header X-Frame-Options "DENY" always;
# Alternative SAMEORIGIN option
# add_header X-Frame-Options "SAMEORIGIN" always;
}
Staging Verification:
- Deploy configuration to staging server
- Verify header:
curl -I https://staging.example.com - Confirm:
X-Frame-Options: DENYreturned - Test all endpoints
Production Deployment:
- Backup current config:
cp nginx.conf nginx.conf.backup - Update production configuration
- Reload server:
systemctl reload nginx(zero downtime) - Verify production:
curl -I https://example.com - Document change in changelog
Rollback (if needed):
cp nginx.conf.backup nginx.conf systemctl reload nginx
Task 2: Fix SSL Certificate
Priority: HIGH | Timeline: Day 3-5 | Owner: Infrastructure Lead
Description:
Current SSL certificate does not match domain name. Obtain and install correct certificate for example.com.
Cloudflare Process:
- Navigate to Cloudflare Dashboard → SSL/TLS
- Click "Generate certificate" for example.com
- Select "Comodo/Universal" certificate type
- Wait for validation (~5 minutes)
- Copy certificate and key to server
- Update Nginx configuration
Nginx Configuration Update:
server {
listen 443 ssl http2;
server_name example.com www.example.com;
# Update certificate paths
ssl_certificate /etc/ssl/certs/example.com.crt;
ssl_certificate_key /etc/ssl/private/example.com.key;
# Recommended SSL parameters
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
}
Verification:
- Check certificate:
openssl s_client -connect example.com:443 - Verify CN = example.com (not cdnjs.cloudflare.com)
- Check expiration date
- Open in browser - verify no warnings
- Check SSL Report: https://www.ssllabs.com/
Task 3: Additional Security Headers
Priority: MEDIUM | Timeline: Day 5-7 | Owner: DevOps + Security
Complete Security Header Set:
server {
# Clickjacking protection
add_header X-Frame-Options "DENY" always;
# MIME type detection prevention
add_header X-Content-Type-Options "nosniff" always;
# XSS protection
add_header X-XSS-Protection "1; mode=block" always;
# Referrer policy
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
# Feature/Permissions policy
add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
# HSTS
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
}
Testing:
- Verify all headers:
curl -I https://example.com - Confirm all 6 headers present
- Check HSTS preload: https://hstspreload.org
- Full application functional testing
Phase 2: Verification & Re-scan (Day 8)
Verification Process:
- Re-run Nikto:
nikto -h https://example.com -ssl -o rescan.html - Compare with original report
- Verify all 3 issues resolved
- Document results in CHANGELOG
- Brief management on completion
Documentation:
## 2024-01-14 - Nikto Security Fixes ### Actions Completed: - [x] X-Frame-Options header added: DENY - [x] SSL certificate installed for example.com - [x] Additional security headers deployed - [x] Nikto re-scan completed ### Status: ✓ All issues resolved ✓ Certificate valid until 2027-01-14 ✓ All security headers active
Regular Maintenance
Weekly (Every Monday):
- Check Nginx error logs for SSL issues
- Verify all headers present
- Check certificate status
Monthly:
- Run Nikto scan
- Check for new CVEs
- Verify certificate expiration
- Update configuration documentation
Annually:
- Renew SSL certificate (30 days before expiry)
- Full web server security audit
- Update security policies
Contacts & Support
Key Contacts:
| Role | Responsible | Contact |
|---|---|---|
| DevOps Lead | [NAME] | [EMAIL] |
| Infrastructure Manager | [NAME] | [EMAIL] |
| Security Officer | [NAME] | [EMAIL] |
Resources:
- Nikto Documentation: https://github.com/sullo/nikto/wiki
- OWASP Security Headers: https://owasp.org/www-project-secure-headers/
- Cloudflare Documentation: https://developers.cloudflare.com/
- Mozilla SSL Configuration: https://ssl-config.mozilla.org/
Operational Plan from Nikto Security Scanning.
Date: January 13, 2026
Update as actions are completed.