HTTP Header vulnerabilities
HTTP Header vulnerabilities
It is observed that number of http header vulnerabilities found. Please let us know to remove the header vulnerabilities.
- Attachments
-
- Http Header Vulnerabilities.jpeg (104.59 KiB) Viewed 1047 times
Re: HTTP Header vulnerabilities
So what "vulnerabilities" are you referring to?
If you'd like to add EXTRA security headers, you can do that several ways:
1. easiest is with some additional .htaccess directives (here's how to: https://htaccessbook.com/important-security-headers/)
2. or add them to your hooks/headers-extra.php
3. or edit this section of admin/incFunctions.php (sample extra headers added to those generated)
Those headers above (or the same directives in your .htaccess) will give you an A+ rating here: https://securityheaders.com/
Don't just copy/paste above as some security headers are application specific and your site will likely stop working. Obviously you will need to edit the "Content Security Policy" and maybe other headers to suit your own application.
If you'd like to add EXTRA security headers, you can do that several ways:
1. easiest is with some additional .htaccess directives (here's how to: https://htaccessbook.com/important-security-headers/)
2. or add them to your hooks/headers-extra.php
3. or edit this section of admin/incFunctions.php (sample extra headers added to those generated)
Code: Select all
########################################################################
function set_headers() {
// Additional security headers V22.14
@header('Content-Type: text/html; charset=' . datalist_db_encoding);
@header('X-Frame-Options: SAMEORIGIN'); // prevent iframing by other sites to prevent clickjacking
@header('Cache-Control: no-cache, no-store, must-revalidate'); // HTTP 1.1.
@header('Pragma: no-cache'); // HTTP 1.0.
@header('Expires: Thu, 01 Jan 1970 00:00:01 GMT'); // Proxies.
@header('X-Content-Type-Options: nosniff'); // nosniff.
@header('Referrer-Policy: strict-origin-when-cross-origin'); // Referrer Policy.
@header('Strict-Transport-Security: max-age=31536000; includeSubDomains');
// @header("Feature-Policy: geolocation 'self'; sync-xhr 'self'"); deprecated, replaced with Permissions Policy
@header('Permissions-Policy: accelerometer=(),autoplay=(),camera=(),clipboard-read=(),clipboard-write=(),fullscreen=(),geolocation=(),gyroscope=(),hid=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()');
@header('X-XSS-Protection: 1; mode=block'); // XSS Browser Protection
@header('X-Permitted-Cross-Domain-Policies: none');
@header('Expect-CT: max-age=43200, enforce, report-uri="https://yourdomain.com/report"');
@header("Content-Security-Policy: script-src 'self' https://translate.googleapis.com/ https://translate-pa.googleapis.com/ https://translate.google.com/ https://www.gstatic.com/recaptcha/releases/ https://www.google.com/ https://www.google.com/recaptcha/api.js https://secure.trust-provider.com/ https://cdnjs.cloudflare.com/ajax/libs/ https://ajax.googleapis.com/ https://translate.googleapis.com/ https://cdn.jsdelivr.net/ https://smarticon.geotrust.com/ https://www.jquery-az.com/javascript/alert/dist/; frame-src https://www.google.com/recaptcha/ https://www.gstatic.com/ https://www.google.com/; connect-src 'self'; img-src 'self' https://secure.trust-provider.com/ https://sectigo.com/ https://ui-avatars.com/api/ https://chart.googleapis.com/ https://www.gstatic.com/ data:"); // Content Security Policy
}
########################################################################
Don't just copy/paste above as some security headers are application specific and your site will likely stop working. Obviously you will need to edit the "Content Security Policy" and maybe other headers to suit your own application.