HTTP headers can greatly improve the security of a website and in the cases of Content-Security-Policy or Feature-Policy can greatly improve the security and privacy of users too. Just because a website is hosted on a .onion rather than .com doesn’t mean webmasters shouldn’t make use of this security functionality. Inspired by OnionScan from OpenPriv’s Sarah Jamie Lewis Ablative Hosting’s https://onionheaders.website/ intends to help .onion webmasters improve their httpd security configuration.

Ablative makes heavy use of Ansible, this allows us to push changes to servers quickly, ensure that all instances are hardened appropriately and, by following a secure software development lifecycle, we can automate all interaction with customer servers meaning no human (beyond the customer themselves) ever has access to a server. One of the biggest issues with automation is protecting the credentials that grant access to the customer servers. We’ve seen APTs target MSPs and we can’t ignore the possibility that the UK Government can interfere with our equipment or even seize our infrastructure.

At Ablative we make an effort to minimize the amount of data we need to store about our customers and the amount of meta-data needed to manage the service. As we use Cryptocurrency instead of taking card payments we don’t need to be PCI compliant but we are concerned that there is a meta-data trail between every Bitcoin transaction (and Monero transaction if an adversary acquires your private keys) and you.

Ablative Hosting needs to monitor our servers and microservices for any strange or malicious behaviour, in certain cases we also need to be able to send logs across the Internet without exposing a link between the servers in question and our attributed infrastructure. To prevent either side of a log transmission event from knowing too much about each other and provide end-to-end transport encryption as well we can use Tor.

Ablative Hosting has several servers distributed around the globe in various data centers from various vendors, it is very important that any potential adversary not be able to identify that these servers are part of the infrastructure. There are three key points of correlation for these servers; Orchestration connections from the Ansible hosts Inter-host service communication polling (e.g. the cryptocurrency microservices connecting to our Bitcoin or Monero nodes) Metrics from the various servers Protecting Ansible using Tor Thankfully Ansible natively supports using SSH options so the host inventory uses .