Feature/lab11 by Uiyrte · Pull Request #15 · Uiyrte/F25-DevSecOps-Intro

Uiyrte · 2025-11-12T18:28:31Z

Goal

Explain reverse proxy security value (TLS termination, security headers, request filtering, single endpoint).
Show why hiding application ports reduces the attack surface.
Document security headers, TLS findings, rate-limiting, and timeouts with evidence.
Provide a short conclusion and list artifacts for submission.

Clarified and paraphrased technical explanations (TLS, headers, rate-limiting, timeouts).
Confirmed HSTS is present for HTTPS only (verified via headers-https.txt & headers-http.txt).
Added Nginx config snippet and docker compose ps output as evidence that only Nginx exposes host ports.
Improved rate-limit explanation, test output interpretation, and timeout trade-offs.

docker compose ps output shows only Nginx publishes host ports; Juice Shop only listens internal port 3000 (evidence in labs/submission11.md).
Testssl run (see labs/lab11/analysis/testssl.txt): TLS 1.2 and TLS 1.3 are supported; strong AEAD ciphers (listed) and Forward Secrecy enabled; testssl warns of a self-signed certificate; OCSP/CRL and stapling not configured.
Headers check (see labs/lab11/analysis/headers-https.txt and headers-http.txt) confirmed HSTS only on HTTPS and other security headers present on HTTPS responses.
Rate-limit test (curl repeated login POSTs) produced: 6× 401 Unauthorized (invalid creds) followed by 6× 429 Too Many Requests — confirms limit_req and limit_req_status 429 behavior.
nginx.conf analysis (labs/lab11/reverse-proxy/nginx.conf) confirmed settings: limit_req_zone $binary_remote_addr zone=login:10m rate=10r/m;, burst=5, all relevant timeout values and header injection.
Access logs (labs/lab11/logs/access.log) show 401 and 429 entries, as expected.

Uiyrte added 2 commits November 12, 2025 20:12

docs: lab10 — DefectDojo vuln management

f934660

docs: add lab11 — nginx reverse proxy hardening

0b0ef57