Feature/lab11

[fayz131]

Goal

Implement reverse proxy hardening for OWASP Juice Shop using Nginx without modifying application code. The goal was to add TLS, security headers, and rate limiting to improve security posture

Changes

• Deployed Juice Shop behind Nginx reverse proxy using Docker Compose
• Configured HTTPS with self-signed TLS certificate (SAN for localhost)
• Added security headers:
  • X-Frame-Options
  • X-Content-Type-Options
  • Referrer-Policy
  • Permissions-Policy
  • COOP / CORP
  • CSP (Report-Only)
• Enforced HTTP → HTTPS redirect (308)
• Enabled HSTS on HTTPS
• Implemented rate limiting for /rest/user/login
• Configured Nginx timeouts to mitigate slow client attacks
• Collected evidence (headers, TLS scan, logs, rate limiting results)

Testing

Commands used:

# Verify redirect
curl -s -o /dev/null -w "HTTP %{http_code}\n" http://localhost:8080/

Check headers
curl -sI http://localhost:8080/
curl -skI https://localhost:8443/

TLS scan
docker run --rm --network host drwetter/testssl.sh:latest https://localhost:8443

Rate limiting test
for i in $(seq 1 12); do
curl -sk -o /dev/null -w "%{http_code}\n"
-H 'Content-Type: application/json'
-X POST https://localhost:8443/rest/user/login
-d '{"email":"a@a","password":"a"}';
done

Artifacts & Screenshots

labs/submission11.md
labs/lab11/analysis/headers-http.txt
labs/lab11/analysis/headers-https.txt
labs/lab11/analysis/testssl.txt
labs/lab11/analysis/rate-limit-test.txt
labs/lab11/analysis/nginx.log

---

Checklist

• PR title is clear and descriptive
• Documentation updated if needed
• No secrets, temporary files, or large binaries included