Fix guides
Vulnerability fix guides, with platform-specific examples.
Step-by-step guides to fix common web security findings. Each guide explains what the issue is, why it matters, and how to fix it, with examples for Nginx, Apache, Node, and more.
Security Headers
How to fix a missing HSTS header
Step-by-step guide to enable HTTP Strict Transport Security (HSTS) on your web server. Prevents downgrade attacks and enforces HTTPS. Nginx, Apache, Node, and Next.js examples.
Security Headers
Fix missing or weak Content Security Policy (CSP)
Step-by-step guide to implement Content Security Policy (CSP) to prevent XSS and injection. Nginx, Apache, and framework examples with safe defaults.
TLS / HTTPS
How to fix mixed content (HTTP on HTTPS pages)
Fix mixed content errors: resources loaded over HTTP on an HTTPS page. Step-by-step guide to find and fix scripts, images, and iframes.
Cookie Security
Fix insecure cookies (Secure, HttpOnly, SameSite)
Fix cookie security: add Secure, HttpOnly, and SameSite attributes to prevent theft and cross-site attacks. Set-Cookie examples for Node, Rails, and server config.
Security Headers
Fix X-Frame-Options and frame-ancestors (clickjacking)
Prevent clickjacking: add X-Frame-Options or CSP frame-ancestors so your site cannot be embedded in a malicious iframe. Nginx, Apache, and framework examples.
TLS / HTTPS
How to fix SSL/TLS certificate expiry
Prevent certificate expiry: renew and install SSL/TLS certificates before they expire. Automation with Let's Encrypt and monitoring tips.
Security Headers
How to add Referrer-Policy header
Step-by-step guide to set Referrer-Policy to control how much referrer information is sent. Reduce information leakage. Nginx, Apache, and framework examples.
Security Headers
How to add X-Content-Type-Options header
Prevent MIME sniffing: set X-Content-Type-Options: nosniff so browsers use the declared Content-Type. Nginx, Apache, and framework examples.
Security Headers
How to add Permissions-Policy header
Restrict browser features (camera, mic, geolocation) with Permissions-Policy. Step-by-step guide with Nginx, Apache, and Node examples. Reduces attack surface.
Information Disclosure
Fix server info disclosure (Server, X-Powered-By)
Stop leaking server and platform details in HTTP headers. Remove or genericize Server, X-Powered-By, and similar. Nginx, Apache, Node, and PHP examples.
TLS / HTTPS
Fix weak TLS (disable 1.0, 1.1, weak ciphers)
Harden TLS: disable TLS 1.0 and 1.1, drop weak ciphers, prefer TLS 1.3. Step-by-step for Nginx, Apache, and load balancers. Test with Barrion.
Email Security
How to fix missing or weak SPF, DKIM, and DMARC
Set up SPF, DKIM, and DMARC for your domain to stop email spoofing and improve deliverability. Step-by-step with DNS and policy examples.
Security Headers
How to fix CORS misconfiguration (overly permissive)
Tighten CORS: avoid Access-Control-Allow-Origin *. Set specific origins, check credentials. Step-by-step for Nginx, Node, and API gateways.
TLS / HTTPS
How to add CAA DNS records (allowlist trusted CAs)
Allowlist the certificate authorities that can issue for your domain. Step-by-step CAA DNS record setup to prevent mis-issuance and rogue certs.
TLS / HTTPS
How to enable OCSP stapling (faster TLS, better privacy)
Enable OCSP stapling so clients verify cert revocation in the TLS handshake. Faster connections, better privacy, no extra round-trip to the CA.
DNS Security
How to fix subdomain takeover risk
Find and fix dangling DNS records that point at deprovisioned cloud resources. Step-by-step guide to inventory, remove, reclaim, and monitor subdomains.
Supply Chain
How to fix vulnerable JavaScript libraries
Find and remove vulnerable JavaScript dependencies with npm audit and yarn audit. Step-by-step guide to upgrade, replace abandoned libraries, and gate in CI.
Network Security
How to fix exposed open ports (firewall and cloud rules)
Lock down public-facing ports with host firewalls and cloud security groups. Inventory listening services, narrow access to allowlisted CIDRs.
Check your site for these findings.
Run a free security scan to see which of these apply to your web app. Report in under a minute, with step-by-step remediation.