HTTP Header vulnerabilities

Please report bugs and any annoyances here. Kindly include all possible details: steps to reproduce, expected result, actual result, screenshots, ... etc.
Post Reply
nisar
Posts: 13
Joined: 2022-07-11 18:19

HTTP Header vulnerabilities

Post by nisar » 2022-10-17 07:00

It is observed that number of http header vulnerabilities found. Please let us know to remove the header vulnerabilities.
Attachments
Http Header Vulnerabilities.jpeg
Http Header Vulnerabilities.jpeg (104.59 KiB) Viewed 1018 times

peebee
AppGini Super Hero
AppGini Super Hero
Posts: 352
Joined: 2013-03-21 04:37

Re: HTTP Header vulnerabilities

Post by peebee » 2022-10-18 07:26

So what "vulnerabilities" are you referring to?

If you'd like to add EXTRA security headers, you can do that several ways:

1. easiest is with some additional .htaccess directives (here's how to: https://htaccessbook.com/important-security-headers/)
2. or add them to your hooks/headers-extra.php
3. or edit this section of admin/incFunctions.php (sample extra headers added to those generated)

Code: Select all

########################################################################
	function set_headers() {
		// Additional security headers V22.14
		@header('Content-Type: text/html; charset=' . datalist_db_encoding);
		@header('X-Frame-Options: SAMEORIGIN'); // prevent iframing by other sites to prevent clickjacking
		@header('Cache-Control: no-cache, no-store, must-revalidate'); // HTTP 1.1.
		@header('Pragma: no-cache'); // HTTP 1.0.
		@header('Expires: Thu, 01 Jan 1970 00:00:01 GMT'); // Proxies.
		@header('X-Content-Type-Options: nosniff'); // nosniff.
		@header('Referrer-Policy: strict-origin-when-cross-origin'); // Referrer Policy.
		@header('Strict-Transport-Security: max-age=31536000; includeSubDomains');
		// @header("Feature-Policy: geolocation 'self'; sync-xhr 'self'"); deprecated, replaced with Permissions Policy
		@header('Permissions-Policy: accelerometer=(),autoplay=(),camera=(),clipboard-read=(),clipboard-write=(),fullscreen=(),geolocation=(),gyroscope=(),hid=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()');
		@header('X-XSS-Protection: 1; mode=block'); // XSS Browser Protection
		@header('X-Permitted-Cross-Domain-Policies: none');
		@header('Expect-CT: max-age=43200, enforce, report-uri="https://yourdomain.com/report"');
		@header("Content-Security-Policy: script-src 'self' https://translate.googleapis.com/ https://translate-pa.googleapis.com/ https://translate.google.com/ https://www.gstatic.com/recaptcha/releases/ https://www.google.com/ https://www.google.com/recaptcha/api.js https://secure.trust-provider.com/ https://cdnjs.cloudflare.com/ajax/libs/ https://ajax.googleapis.com/ https://translate.googleapis.com/ https://cdn.jsdelivr.net/ https://smarticon.geotrust.com/ https://www.jquery-az.com/javascript/alert/dist/; frame-src https://www.google.com/recaptcha/ https://www.gstatic.com/ https://www.google.com/; connect-src 'self'; img-src 'self' https://secure.trust-provider.com/ https://sectigo.com/ https://ui-avatars.com/api/ https://chart.googleapis.com/ https://www.gstatic.com/ data:"); // Content Security Policy
	}
	########################################################################
Those headers above (or the same directives in your .htaccess) will give you an A+ rating here: https://securityheaders.com/

Don't just copy/paste above as some security headers are application specific and your site will likely stop working. Obviously you will need to edit the "Content Security Policy" and maybe other headers to suit your own application.

Post Reply