HTTP Header vulnerabilities
Posted: 2022-10-17 07:00
It is observed that number of http header vulnerabilities found. Please let us know to remove the header vulnerabilities.
If you'd like to add EXTRA security headers, you can do that several ways:
1. easiest is with some additional .htaccess directives (here's how to: https://htaccessbook.com/important-security-headers/)
2. or add them to your hooks/headers-extra.php
3. or edit this section of admin/incFunctions.php (sample extra headers added to those generated)
Code: Select all
########################################################################
function set_headers() {
// Additional security headers V22.14
@header('Content-Type: text/html; charset=' . datalist_db_encoding);
@header('X-Frame-Options: SAMEORIGIN'); // prevent iframing by other sites to prevent clickjacking
@header('Cache-Control: no-cache, no-store, must-revalidate'); // HTTP 1.1.
@header('Pragma: no-cache'); // HTTP 1.0.
@header('Expires: Thu, 01 Jan 1970 00:00:01 GMT'); // Proxies.
@header('X-Content-Type-Options: nosniff'); // nosniff.
@header('Referrer-Policy: strict-origin-when-cross-origin'); // Referrer Policy.
@header('Strict-Transport-Security: max-age=31536000; includeSubDomains');
// @header("Feature-Policy: geolocation 'self'; sync-xhr 'self'"); deprecated, replaced with Permissions Policy
@header('Permissions-Policy: accelerometer=(),autoplay=(),camera=(),clipboard-read=(),clipboard-write=(),fullscreen=(),geolocation=(),gyroscope=(),hid=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()');
@header('X-XSS-Protection: 1; mode=block'); // XSS Browser Protection
@header('X-Permitted-Cross-Domain-Policies: none');
@header('Expect-CT: max-age=43200, enforce, report-uri="https://yourdomain.com/report"');
@header("Content-Security-Policy: script-src 'self' https://translate.googleapis.com/ https://translate-pa.googleapis.com/ https://translate.google.com/ https://www.gstatic.com/recaptcha/releases/ https://www.google.com/ https://www.google.com/recaptcha/api.js https://secure.trust-provider.com/ https://cdnjs.cloudflare.com/ajax/libs/ https://ajax.googleapis.com/ https://translate.googleapis.com/ https://cdn.jsdelivr.net/ https://smarticon.geotrust.com/ https://www.jquery-az.com/javascript/alert/dist/; frame-src https://www.google.com/recaptcha/ https://www.gstatic.com/ https://www.google.com/; connect-src 'self'; img-src 'self' https://secure.trust-provider.com/ https://sectigo.com/ https://ui-avatars.com/api/ https://chart.googleapis.com/ https://www.gstatic.com/ data:"); // Content Security Policy
}
########################################################################Don't just copy/paste above as some security headers are application specific and your site will likely stop working. Obviously you will need to edit the "Content Security Policy" and maybe other headers to suit your own application.