Hardened web server security

We have recently hardened our web server security, giving Runbox an A+ rating on securityheaders.io — in addition to our existing A+ rating on ssllabs.com.

The policies we have implemented are the following:

X-Frame-Options: Tells the browser that we don’t allow the Runbox web site to be framed (included) by other web sites, which defends against attacks like click-jacking.

HTTP Strict Transport Security: Strengthens our implementation of Transport Layer Security (TLS) by making the browser enforce the use of encrypted communication (HTTPS).

Content Security Policy: Protects our web site from Cross-Site Scripting (XSS) attacks.

HTTP Public Key Pinning: Protects us from from Man-in-the-Middle attacks by making sure the TLS certificates used by the browsers are the ones implemented on our servers.

X-XSS-Protection: Sets the configuration for the cross-site scripting filters built into most browsers.

X-Content-Type-Options: Forces browsers to use the declared file content type instead of trying to be too clever, which helps to reduce the danger of drive-by downloads.

These changes will help ensure that your use of Runbox is as safe and secure as possible, and we will continue making security-related improvements in the future.

5 thoughts on “Hardened web server security”

  1. Keep up the good work, Runbox! Best email service on the planet!

    Now, when can we have IMAP Push. 🙂

  2. Hi there

    Yes agreed – value your work and service

    Re added security
    Some time ago I read somewhere on RunBox about using 2 step verification.

    It is used for internet banking in NZ on the newish bank there called KiwiBank that was established under a former Labour govt to give the big four Australian banks that dominate that country some genuine competition.

    It seems so easy from a user standpoint. But I imagine it might not be so easy as you seemed interested but it has fallen by the wayside it seems since then. Maybe KiwiBank can help you somehow?

    Best wishes

    1. Lorraine, thanks for your comments.

      We’ve been working hard on two-factor authentication for the past year, and the reason it’s taken a long time is that all the different pieces of software running our services had to be modified to ensure that there won’t be any back doors.

      We’ve completed the development phase of the project and we’re currently in an internal testing phase. We are very happy with the results thus far and we expect to start an open beta test soon.

Leave a Reply

Your email address will not be published. Required fields are marked *