As you probably know this is a security topic since couple of years.
Be default thirtybees (and PS in that matter) does not come with default policy and on this test a vanilla installation fails with F.
One way to implement some of the most important headers is to add this code to the beginning of your htaccess file:
<IfModulemod_headers.c>
Header set Content-Security-Policy "default-src 'unsafe-inline' 'unsafe-eval' 'self' *.googleapis.com *.gstatic.com *.cloudflare.com *.googletagmanager.com *.google-analytics.com *.youtube.com *.google.com;"
Header set X-XSS-Protection "1; mode=block"
Header always append X-Frame-Options SAMEORIGIN
Header set X-Content-Type-Options nosniff
Header set Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Header set Referrer-Policy: strict-origin-when-cross-origin
Header unset X-Powered-By
Header always unset X-Powered-By
</IfModule>
This code is far from perfect, unsafe-inline and unsafe-eval should be used very carefully but should we remove them completely if we're not sure if we have embedded js. This code gives A on this test but keep in mind that on the first row you should add all external resources you use and on each row the settings should be customised to your needs. This is what appears to work for me.
Another (nicer) solution is this free module from nenes25 which adds further options for logging, debugging and testing in BO. Unfortunately the support for PS1.6.1.x that is advertised in his blog does not translate in the latest 0.4 version and I'm unable to install it on my test setup.
Question
the.rampage.rado
As you probably know this is a security topic since couple of years.
Be default thirtybees (and PS in that matter) does not come with default policy and on this test a vanilla installation fails with F.
One way to implement some of the most important headers is to add this code to the beginning of your htaccess file:
This code is far from perfect, unsafe-inline and unsafe-eval should be used very carefully but should we remove them completely if we're not sure if we have embedded js. This code gives A on this test but keep in mind that on the first row you should add all external resources you use and on each row the settings should be customised to your needs. This is what appears to work for me.
Another (nicer) solution is this free module from nenes25 which adds further options for logging, debugging and testing in BO. Unfortunately the support for PS1.6.1.x that is advertised in his blog does not translate in the latest 0.4 version and I'm unable to install it on my test setup.
What are you using to fix this?
0 answers to this question
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now