hello
here i saw some detail about Security headers.
then i visit this
site and say Missing Headers.
can somebody help me how to enable them in our forum?
Missing Headers are:
Strict-Transport-Security
Content-Security-Policy
Public-Key-Pins
X-Frame-Options
X-XSS-Protection
X-Content-Type-Options
Referrer-Policy
the result for community.mybb.com show bolded one are active.
thanks much appreciated
any idea?
💔 ❣️ 💕 💞 💓 💗 💖 💘 💝 💟
put in .htaccess
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header always set Content-Security-Policy "upgrade-insecure-requests; default-src https: data: 'unsafe-inline' 'unsafe-eval'"
Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "deny"
Header always set X-XSS-Protection "1; mode=block"
How does one install these two headers into mybb?
Public-Key-Pins and Referrer-Policy
Nathaniels-MacBook-Pro:~ nathanielsuchy$ curl -I --user-agent "Chrome" https://sinfulforums.net
HTTP/1.1 200 OK
Date: Wed, 06 Sep 2017 14:49:25 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Set-Cookie: __cfduid=dc85851e0e2b6e528d21354f154b21eaa1504709365; expires=Thu, 06-Sep-18 14:49:25 GMT; path=/; domain=.sinfulforums.net; HttpOnly
Set-Cookie: mybb[lastvisit]=1504709365; expires=Thu, 06-Sep-2018 14:49:25 GMT; path=/; domain=.sinfulforums.net; Secure
Set-Cookie: mybb[lastactive]=1504709365; expires=Thu, 06-Sep-2018 14:49:25 GMT; path=/; domain=.sinfulforums.net; Secure
Set-Cookie: sid=d178e833b5cc6ad71cd9912c5282717c; path=/; domain=.sinfulforums.net; HttpOnly; Secure
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Referrer-Policy: no-referrer-when-downgrade
Content-Security-Policy: default-src 'self' data:; frame-src 'self' https://www.google.com:443 https://static.addtoany.com:443 https://www.youtube.com:443; img-src * data:; style-src 'self' 'unsafe-inline' https://static.addtoany.com:443 https://maxcdn.bootstrapcdn.com:443; script-src 'self' 'unsafe-inline' 'unsafe-eval' data: https://analytics.maimail.co:443 https://www.google.com:443 https://www.gstatic.com:443 https://www.google-analytics.com:443 https://ajax.googleapis.com:443 https://www.googletagmanager.com:443 https://maxcdn.bootstrapcdn.com:443 https://static.addtoany.com:443 https://ajax.cloudflare.com:443; connect-src 'self' https://cors-anywhere.herokuapp.com:443; font-src 'self' data: https://fonts.gstatic.com:443; report-uri https://sinfulforums.report-uri.io/r/default/csp/enforce;
X-We-Are-Hiring: If you are seeing this message maybe you should be working for us. Private Message AdamJenaine for more information.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Server: cloudflare-nginx
CF-RAY: 39a23c1f0ffd56f9-IAD
My headers are above if that provides any inspiration. You can use the following nginx config options to get similar headers:
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Xss-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
I'm not including my content security policy as it's huge and might cause problems on your board if you don't understand what you're configuring.