Security Hardening - Red Team & Blue Team Operations

← Back to Writeups

Type

Red Team / Blue Team Exercise

Focus Areas

Reconnaissance & Hardening

Date

June 2026

Red Team: Passive Information Gathering

Passive Reconnaissance

There are ways of gathering information about a website's security posture. Using a third-party tool to analyze my organization's HTTP response gave me an understanding of how my website uses HTTP security headers to protect the visitor.

1.2 HTTP Header Analysis

Missing Security Headers: DaveHat is missing several defensive headers such as Strict-Transport-Security, Content-Security-Policy, and X-Frame-Options. These are not necessarily vulnerabilities but they indicate that the administrator is not yet familiar with security hardening techniques.

Key Finding: Doing this passive reconnaissance exercise shows that these methods reveal security information without triggering intrusion detection systems. Organizations often leak critical details through headers, certificates, and publicly available information sources.

Blue Team: Defense & Hardening

Security Headers Implementation

2.1 Strict-Transport-Security (HSTS)

Below showcases what the Strict-Transport-Security header is supposed to look like. This shows that it should be included

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

max-age: Duration in seconds that the browser should enforce HTTPS (31536000 = 1 year)
includeSubDomains: Apply HSTS to all subdomains
preload: Allows inclusion in HSTS preload lists to protect initial requests

Implementation: Set the HTTP Strict-Transport-Security header values through cloudflare's dashboard on which my domain name is purchased from.

Navigated to SSL/TLS > Edge Certificates
Enabled HSTS
Set recommended values above such as max-age header to 12 months (31536000 seconds), apply to subdomains, and preload.

2.2 Content-Security-Policy (CSP)

Including the Content-Security-Policy in the HTTP response headers allow the website administrator to control resources the user is allowed to load on the website!

This reduces the risk of cross-site scripting attacks because the resources that can be loaded is defined by the server. Not restricting resources leaves DaveHat.net highly vulnerable to client-side attacks and content manipulation.

Implementation: Created a transform rule within the cloudflare dashboard that modifies the response header to include CSP for every time an SSL/HTTPS request is made.

Content-Security-Policy: default-src 'self'; img-src 'self' https://davehat.net; style-src 'self' 'unsafe-inline';

How is my site doing so far?

Here is the grade we receive from security headers after taking care of two things.

Strict-Transport-Security
Content-Security-Policy

2.3 X-Frame-Options

Setting the X-Frame-Options header to the value of "SAMEORIGIN" tells the website that you do not want your website to be framed. Preventing a website from framing helps defend against clickjacking attacks.

Implementation: Follows the same format as 2.2 Content-Security-Policy where I create a transform rule within the cloudflare dashboard that appends the response headers with the X-Frame-Options value.

2.4 Additional Security Headers

The headers Referrer-Policy and Permissions-Policy are the remaining ones on the list that have yet to be mitigated.

Referrer-Policy allows a site to control how much referrer information should be included with requests.
Permissions-Policy allows the web administrator to declare which APIs are allowed to be used.

Implementation:

Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: geolocation=(), camera=(), microphone=(), payment=()

Final Result!!

Here is the grade we receive from security headers after checking all boxes.

Red Team vs Blue Team: Impact Summary

🔴 Red Team Findings

Strict-Transport-Security was not set
Content-Security-Policy was not set
X-Frame-Options was not set
Additional Headers were not set

🔵 Blue Team Mitigations

Set Strict-Transport-Security header
Set Content-Security-Policy header
Set X-Frame-Options header
Set the additional headers

Lessons Learned & Best Practices

Defense in Depth

No single security header can prevent all web application attacks. Implementing this comprehensive set of security headers will significantly reduce the attack surface and enhance the security of the application.

Configuration Management

Using the cloudflare dashboard on which this domain name is hosted from, requires me to manually set the Strict-Transport-Security headers and create the Content-Security-Policy, X-Frame-Options, and additional headers. This proves that configuration management is a necessary process when developing new technology to your organization's infrastructure.

Key Takeaway

Security Hardening: Implementing security hardening through the HTTPS headers will block the paths attackers may take to exploit other users on the website.

Security Hardening Writeup