1. Purpose of this Guide
This artefact proves your company’s web servers are configured securely. Cyber Essentials requires this because misconfigured servers (e.g., expired TLS, missing headers) are prime targets for attackers. The IHP scan provides independent verification that your servers meet security best practices.
2. What You Will Submit
You will need:
-
A screenshot or PDF report of your Web Server IHP Results, showing:
-
Overall web server security score.
-
HTTPS/TLS configuration.
-
Certificate validity status.
-
HTTP security headers (e.g., HSTS, X-Frame-Options).
-
3. How to Collect / Obtain / Generate This Evidence
For StrongKeep Customers:
-
Log into StrongKeep Dashboard → Web and Mail Server
-
Select Web Server Results.
-
Run the external scan (or select latest scan).
-
Download the results as PDF or take a screenshot of the dashboard view.
If using IHP directly (Singapore CSA Internet Hygiene Portal):
-
Visit the IHP portal (https://ihp.csa.gov.sg).
-
Enter your web server domain.
-
Run the scan.
-
Save a screenshot of the results page or download the report.
4. Evidence Format
-
Accepted file types: PNG, JPG, PDF.
-
Suggested naming format:
YourCompanyName_WebServerIHP_YYYY-MM-DD.pdf
Example:AcmeCorp_WebServerIHP_2025-07-01.pdf
5. What “Good” Looks Like
-
Evidence clearly shows:
-
Valid HTTPS/TLS certificates (not expired).
-
Strong TLS protocols (e.g., TLS 1.2/1.3).
-
HTTP security headers present.
-
A passing or good security score in the IHP results.
-
Why it matters: auditors want assurance your servers aren’t leaking weaknesses to the internet.
6. Tips
-
Always run scans close to audit date (so the results are fresh).
-
If the IHP flags weak protocols (e.g., TLS 1.0), disable them and rerun.
-
Save historical results too — they help show continuous compliance.