Jump to content

Welcome, Guest!

By registering with us, you'll be able to discuss, share and private message with other members of our community.

Search the Community

Showing results for tags 'content security policy for tb'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Announcements
    • Announcements about thirty bees
  • General Discussion
    • English
    • Nederlandstalig Forum - Algemeen
    • Forum Francophone - Discussion Générale
    • Deutsches Forum - Generelle Fragen
    • Forum italiano - Generale
    • Foro en Español - Discusión General
  • Technical
    • Technical help
    • Migrations
    • Updating thirty bees
    • Module help
    • Theme help
    • Bug Reports
  • General Help
    • SEO
    • Modules
    • Themes
    • Job Offers
    • Feedback on my store
    • Tips and Tricks
    • Community Modules and Github
  • Compatibility
    • Module Compatibility
    • Theme Compatibility
  • Native Modules
    • EU Compliance
    • Authorize.net
    • Bees Blog
    • Fixer.io (currency rates from the ECB)
    • Google Analytics
    • ImageMagick
    • MailChimp
    • No CAPTCHA reCAPTCHA
    • PayPal
    • Stripe
    • tawko.to
    • Other native modules

Product Groups

There are no results to display.

Member Blogs

  • Forum Blog
  • El plan de Dan - Thirty Bees para ecommerce prácticos en español
  • A guid to creat Collapsible FAQ on CMS page
  • Genzos Tips
  • 오피쓰
  • Culture
  • Factor's Corner
  • Datakick's Tips and Tricks
  • Tips & Tutorials
  • Simple Import from Esty to thirtybees
  • Get high-quality men's hair systems from a reliable online store
  • What makes Bidis cigars so popular in the cigar industry?
  • Calgary Real Estate | MLS Calgary | MLS Listings Calgary
  • Why buy effective and reliable California faucets?
  • Get Parts and Accessories Online!
  • Chicago Cubs Shirts: New Age, New Fashion!
  • Vitamin Supplements And Multivitamins
  • How to look for the right gift for your loved ones?
  • Top 5 Best Hand Tools Every Professional Should Have
  • Optimal vapors
  • How Many Types of Bosch Hydraulic Hose Fittings are There?
  • The best Text to Speech Software of 2021!

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


About Me


Website


Store Email Address

Found 1 result

  1. Hello I am working on my server to get a high rate for what is concerning SSL and Headers, so far I managed to get TLS v1.2 and 1.3, disabled v1 and v1.1, added an amount of headers to avoid low security grade, so I did implement the following headers: X-Frame-Options, X-Content-Type-Options, Content-Security-Policy, Referrer-Policy, Permissions-Policy, Strict-Transport-Security For this header Content-Security-Policy aka CSP I did set a very permissive rules set, which allows practically almost everything, so it is not really effective, however having it is anyway better than not having it at all: Header always set Content-Security-Policy "default-src 'self'; font-src *; frame-src *; img-src * data:; media-src * data:; object-src *; script-src * 'unsafe-inline' 'unsafe-eval'; style-src * 'unsafe-inline';" Now using this CSP rule almost everything works fine, but I would like to begin to build a proper rule set to be used with Thirty Bees so to be able not only to score a higher mark for security policies from crawlers and engines but also effectively harden the security of the shop. For what is concerning TB itself, which would be the minimum rules set to be used to not have troubles? E.g. in a TB 1.2 installation I am testing on using the rules set posted above if I try to use the core updater there is a problem: ================== Version to compare to: request failed, see JavaScript console The dropdown menu does not work, so it is not possible to choose a version, in the Java console I read this: Content Security Policy: a resource on https://api.thirtybees.com/coreupdater/master.php was blocked by the configuration of the page (“default-src”). jquery-1.11.0.min.js:4:25949 Request to https://api.thirtybees.com/coreupdater/master.php failed with status 'rejected'. controller.js:102:15 ================== So even using such a very liberal rule set some functionalities are broken, of course for emergency cases it is always possible to remove this CSP string from httpd.conf, restart the Apache service, do the update, put back the string in httpd.conf, restart Apache and is done, but how much better would be to know which is the magic string that do allow TB to work fine and at the same time have an extra protection layer on the website? I thought that is a common interest for every merchant/developer to define a CSP for TB core and native modules at least, I am not expert and fond enough to do it all by myself, but I am pretty confident that can be done together here in the forum. My idea is to remove the unsafe rules one at a time, check what happens in the debug console and add the appropriate rules to have it working right. E.g. the request rejected above does not fall into any of the rules, so fall back to default-src 'self'; I imagine that adding the domain api.thirtybees.com will solve the problem, but with which correct syntax should be added? Should be added to the default-src rule? Or it is better to add another specific rule for this kind of requests? Anyone who is interested in creating "the perfect CSP" string for TB please do participate to this "quest". The main gola is to have a CSP string that allow TB core and native modules to work without problems and that do prevent other operations, so to harden the shop installation, if then people want to add more rules to have third parties modules and other stuff working that can listed as extra. By the way, searching how to solve this task I stumbled upon a Wordpress module that automatically report the blocked requests after introducing a basic restrictive CSP header in the server, then automatically output the formatted CSP string to have everything working right, I think that it is interesting for TB a native module of this kind, I add this proposal also in the "feature request time" topic. P.S.: the website I used to check the headers is this one https://securityheaders.com I tried to check what the biggies do and surprisingly not many do implement all the suggested headers and also some do not implement the CSP header. I do not really know how much this is going to affect a website for non security related matters, e.g. ranking, obviously biggies are a case a apart and are favoured not matter what, however, I thought that in general having these headers set up is maybe better than not have it. I used this website to check SSL: https://www.ssllabs.com/ssltest/analyze.html While on a website one can get even a A or A+ mark for what is concerning SSL if no proper headers are adopted too there are still many ways to perform exploits on the website, I read some comments telling that are important and that the SSL test alone is incomplete, giving a false reassurance of not carried out together with a headers test. I would like to know more about, what is your opinion in this respect? Thank you Best regards R.
×
×
  • Create New...