collapse

Author Topic: Security  (Read 201 times)

Offline dpn

  • Newbie
  • *
  • Posts: 23
  • Karma: +0/-0
    • Team FoxTare
Security
« on: October 21, 2019, 07:27:16 AM »
Hi, I did some scanning for vulnerabilities to my website using online security tools, and most of them warn me about this (mozilla observatory, in this case):

Quote
X-Content-Type-Options: X-Content-Type-Options header not implemented    
X-Frame-Options: X-Frame-Options (XFO) header not implemented    
X-XSS-Protection: X-XSS-Protection header not implemented

I tried adding headers to .htaccess as recommended here:

Quote
Here are three .htaccess techniques to increase your site's security. These techniques add extra security headers to all of your site's resources. Specifically, this tutorial explains how to add X-Security Headers to protect against cross-site scripting (XSS), page-framing, and content-sniffing. Adding these extra headers is simple and helps to boost the security of your site.

 # Extra Security Headers
<IfModule mod_headers.c>
   Header set X-XSS-Protection "1; mode=block"
   Header always append X-Frame-Options SAMEORIGIN
   Header set X-Content-Type-Options nosniff
</IfModule>

https://htaccessbook.com/increase-security-x-security-headers/

Is not detected/ not working?



=Team FoxTare=
European Multi-Gaming Community For Legacy Shooters 2004-2005

Offline SE-JAY

  • Administrator
  • Hero Member
  • *****
  • Posts: 653
  • Karma: +18/-1
Re: Security
« Reply #1 on: October 21, 2019, 08:28:40 AM »
Question,
Is your .htaccess file under your public_html directory?
Join Our Awesome Affiliates Program! Click Here For More info

Offline dpn

  • Newbie
  • *
  • Posts: 23
  • Karma: +0/-0
    • Team FoxTare
Re: Security
« Reply #2 on: October 21, 2019, 09:59:43 AM »
I left the .htaccess file on the dir it was by default, which is "public_html/cgi-bin"...

It's a bit odd, cause some headers like gzip compression or browser cache seem to be working, while others like custom 404 redirect or rewrite -to remove .php extension on browsers, to prevent hotlinking-, they don't.

Anyway, I'm becaming a bit fixated on security since I had a spam bot (now active but harmless) and my disk space has misteriously grow from 45 to 90 MB in just a couple of days.

Please move .htaccess to your documents root (public_html/). If you have a public forum/blog, it is really easy to get targetted by spam bots and unfortunately, the perfect solution doesn't exist :(
« Last Edit: October 21, 2019, 12:35:43 PM by SE-JAY »
=Team FoxTare=
European Multi-Gaming Community For Legacy Shooters 2004-2005

Offline dpn

  • Newbie
  • *
  • Posts: 23
  • Karma: +0/-0
    • Team FoxTare
Re: Security
« Reply #3 on: October 21, 2019, 01:20:36 PM »
.htaccess file in the right directory now, however pentest-tools.com & mozilla observatory are reporting the security headers as missing ...nah, forget it.

Spam is a really powerful enemy indeed, more interesting than those headers is this IP detection service: https://getipintel.net/ Someone who implemented it on his forum recommended to me, I'll give it a look when I have more time.
=Team FoxTare=
European Multi-Gaming Community For Legacy Shooters 2004-2005

Offline SE-JAY

  • Administrator
  • Hero Member
  • *****
  • Posts: 653
  • Karma: +18/-1
Re: Security
« Reply #4 on: October 21, 2019, 02:22:59 PM »
Honestly man, with so many different things going on, I have 0 clue what could be going wrong.  Stop forum spam is another project, you might want to look at.

Also you can ban certain hostname ;)

.htaccess file in the right directory now, however pentest-tools.com & mozilla observatory are reporting the security headers as missing ...nah, forget it.

Spam is a really powerful enemy indeed, more interesting than those headers is this IP detection service: https://getipintel.net/ Someone who implemented it on his forum recommended to me, I'll give it a look when I have more time.
Join Our Awesome Affiliates Program! Click Here For More info

Offline dpn

  • Newbie
  • *
  • Posts: 23
  • Karma: +0/-0
    • Team FoxTare
Re: Security
« Reply #5 on: October 22, 2019, 03:47:04 AM »
Security headers working seamlessly now, thanks a lot.   :)
=Team FoxTare=
European Multi-Gaming Community For Legacy Shooters 2004-2005

 

* User Info

 
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Recent Posts

Re: dynamic-dns.net by msnhinet8
[November 09, 2019, 11:02:12 PM]


Re: I am unable to use domain name with extension com.ng by SE-JAY
[November 09, 2019, 10:34:40 PM]


Re: dynamic-dns.net by SE-JAY
[November 09, 2019, 10:33:54 PM]


dynamic-dns.net by msnhinet8
[November 09, 2019, 10:11:42 PM]


Re: I am unable to use domain name with extension com.ng by Lekxel
[November 09, 2019, 07:24:49 PM]