MyBB Community Forums
how to enable missing Security header? - Printable Version

+- MyBB Community Forums (https://community.mybb.com)
+-- Forum: 1.8 Support (https://community.mybb.com/forum-175.html)
+--- Forum: Security Management and Support (https://community.mybb.com/forum-179.html)
+--- Thread: how to enable missing Security header? (/thread-210349.html)



how to enable missing Security header? - bazir123 - 2017-05-10

hello
here  i saw some detail about Security headers.
then i visit this site  and say Missing Headers.
can somebody help me how to enable them in our forum?

Missing Headers are:
Strict-Transport-Security
Content-Security-Policy
Public-Key-Pins
X-Frame-Options
X-XSS-Protection
X-Content-Type-Options
Referrer-Policy

the result for community.mybb.com show bolded one are active.
thanks much appreciated


RE: how to enable missing Security header? - bazir123 - 2017-05-20

any idea?

💔 ❣️ 💕 💞 💓 💗 💖 💘 💝 💟


RE: how to enable missing Security header? - AlexanderPep - 2017-05-20

put in .htaccess

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header always set Content-Security-Policy "upgrade-insecure-requests; default-src https: data: 'unsafe-inline' 'unsafe-eval'"
Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "deny"
Header always set X-XSS-Protection "1; mode=block"


RE: how to enable missing Security header? - Michael2014 - 2017-05-27

How does one install these two headers into mybb?

Public-Key-Pins and Referrer-Policy


RE: how to enable missing Security header? - Devilshakerz - 2017-05-27

(2017-05-27, 04:28 PM)Michael2014 Wrote: How does one install these two headers into mybb?

Public-Key-Pins and Referrer-Policy

See examples for Apache and nginx: https://docs.mybb.com/1.8/administration/security/https/#security-headers
You can set Referrer-Policy to no-referrer-when-downgrade on public pages and more strict values for the ACP and similar locations.

Make sure you understand how key pinning works if you decide to introduce it - some basic summaries:
https://scotthelme.co.uk/hpkp-http-public-key-pinning/
https://news.netcraft.com/archives/2016/03/30/http-public-key-pinning-youre-doing-it-wrong.html


RE: how to enable missing Security header? - Lunorian - 2017-09-06

Nathaniels-MacBook-Pro:~ nathanielsuchy$ curl -I --user-agent "Chrome" https://sinfulforums.net
HTTP/1.1 200 OK
Date: Wed, 06 Sep 2017 14:49:25 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Set-Cookie: __cfduid=dc85851e0e2b6e528d21354f154b21eaa1504709365; expires=Thu, 06-Sep-18 14:49:25 GMT; path=/; domain=.sinfulforums.net; HttpOnly
Set-Cookie: mybb[lastvisit]=1504709365; expires=Thu, 06-Sep-2018 14:49:25 GMT; path=/; domain=.sinfulforums.net; Secure
Set-Cookie: mybb[lastactive]=1504709365; expires=Thu, 06-Sep-2018 14:49:25 GMT; path=/; domain=.sinfulforums.net; Secure
Set-Cookie: sid=d178e833b5cc6ad71cd9912c5282717c; path=/; domain=.sinfulforums.net; HttpOnly; Secure
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Referrer-Policy: no-referrer-when-downgrade
Content-Security-Policy: default-src 'self' data:; frame-src 'self' https://www.google.com:443 https://static.addtoany.com:443 https://www.youtube.com:443; img-src * data:; style-src 'self' 'unsafe-inline' https://static.addtoany.com:443 https://maxcdn.bootstrapcdn.com:443; script-src 'self' 'unsafe-inline' 'unsafe-eval' data: https://analytics.maimail.co:443 https://www.google.com:443 https://www.gstatic.com:443 https://www.google-analytics.com:443 https://ajax.googleapis.com:443 https://www.googletagmanager.com:443 https://maxcdn.bootstrapcdn.com:443 https://static.addtoany.com:443 https://ajax.cloudflare.com:443; connect-src 'self' https://cors-anywhere.herokuapp.com:443; font-src 'self' data: https://fonts.gstatic.com:443; report-uri https://sinfulforums.report-uri.io/r/default/csp/enforce;
X-We-Are-Hiring: If you are seeing this message maybe you should be working for us. Private Message AdamJenaine for more information.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Server: cloudflare-nginx
CF-RAY: 39a23c1f0ffd56f9-IAD

My headers are above if that provides any inspiration. You can use the following nginx config options to get similar headers:
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Xss-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
I'm not including my content security policy as it's huge and might cause problems on your board if you don't understand what you're configuring.