how to enable missing Security header?
here  i saw some detail about Security headers.
then i visit this site  and say Missing Headers.
can somebody help me how to enable them in our forum?

Missing Headers are:

the result for show bolded one are active.
thanks much appreciated
any idea?

💔 ❣️ 💕 💞 💓 💗 💖 💘 💝 💟
put in .htaccess

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header always set Content-Security-Policy "upgrade-insecure-requests; default-src https: data: 'unsafe-inline' 'unsafe-eval'"
Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "deny"
Header always set X-XSS-Protection "1; mode=block"
How does one install these two headers into mybb?

Public-Key-Pins and Referrer-Policy
Hey man, what's up?
(2017-05-27, 04:28 PM)Michael2014 Wrote: How does one install these two headers into mybb?

Public-Key-Pins and Referrer-Policy

See examples for Apache and nginx:
You can set Referrer-Policy to no-referrer-when-downgrade on public pages and more strict values for the ACP and similar locations.

Make sure you understand how key pinning works if you decide to introduce it - some basic summaries: (DF3A 34D9 A627 42E5 BC6A 6750 1F2F B8AA 28FF E1BC) ▪
Nathaniels-MacBook-Pro:~ nathanielsuchy$ curl -I --user-agent "Chrome"
HTTP/1.1 200 OK
Date: Wed, 06 Sep 2017 14:49:25 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Set-Cookie: __cfduid=dc85851e0e2b6e528d21354f154b21eaa1504709365; expires=Thu, 06-Sep-18 14:49:25 GMT; path=/;; HttpOnly
Set-Cookie: mybb[lastvisit]=1504709365; expires=Thu, 06-Sep-2018 14:49:25 GMT; path=/;; Secure
Set-Cookie: mybb[lastactive]=1504709365; expires=Thu, 06-Sep-2018 14:49:25 GMT; path=/;; Secure
Set-Cookie: sid=d178e833b5cc6ad71cd9912c5282717c; path=/;; HttpOnly; Secure
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Referrer-Policy: no-referrer-when-downgrade
Content-Security-Policy: default-src 'self' data:; frame-src 'self'; img-src * data:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' data:; connect-src 'self'; font-src 'self' data:; report-uri;
X-We-Are-Hiring: If you are seeing this message maybe you should be working for us. Private Message AdamJenaine for more information.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Server: cloudflare-nginx
CF-RAY: 39a23c1f0ffd56f9-IAD

My headers are above if that provides any inspiration. You can use the following nginx config options to get similar headers:
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Xss-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
I'm not including my content security policy as it's huge and might cause problems on your board if you don't understand what you're configuring.
Software Engineer specializing in C# Program Development

Forum Jump:

Users browsing this thread: 1 Guest(s)