I make my website from scratch with PHP. In order to optimize performance, loading time and security I use a lot of online tools : google page speed insight, gtmetrix, dareboost.com, webpagetest etc...
Dareboost.com advises me to set headers in my .htaccess file like :
Content-Security-Policy
X-FRAME-OPTIONS
X-XSS-Protection
X-Content-Type-Options
I did :
Header set Content-Security-Policy "default-src 'self'; script-src 'self' www.googletagmanager.com ;"
Header always set X-FRAME-OPTIONS "DENY"
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Content-Type-Options "nosniff"
It seems to be a little bit inefficient : when I look into my waterfall timeline I see that all my assets (CSS, JS, fonts, IMG) use those directives but not my first GET request (on www.mydomain.com).
Why ? Due to that, Dareboost doesn't understand that I set properly my headers.
Related
I am seeing this error via Google inspect on my Wordpress website.
Access to XMLHttpRequest at (ad lines I have removed) from origin
'https://www.awakenthegreatnesswithin.com' has been blocked by CORS
policy: No 'Access-Control-Allow-Origin' header is present on the
requested resource.
I saw this last week. I added this to the .htaccess file in the root of the domain:
<IfModule mod_headers.c>
# Make sure proxies don't deliver the wrong content
Header append Vary User-Agent env=!dont-vary
Header set Cross-Origin-Embedder-Policy "unsafe-none"
Header set Cross-Origin-Opener-Policy "unsafe-none"
Header set Cross-Origin-Resource-Policy "cross-origin"
Header set X-Download-Options "noopen"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-XSS-Protection "1; mode=block"
</IfModule>
I also added this to .htaccess in the public_html
<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin: *
</IfModule>
Last week the Ads on my site were not showing great but now I would say 90% usually show, sometimes 100% but I still see the error via Google inspect even though the Ads are showing
Can someone help me to understand what caused this? As I have never had any problems like this before, and what can I do to get rid of this error message?
Is this something I need to fix on my end? Or my Ad Network need to adjust something on their end?
Thank you
Updated PHP to (8+) was the only major change
How can I set X-Frame-Options in my PHP code so that it will be there in all the web pages from my server. Basically, I am trying to avoid iframe loading of my web app.
Use below in your php file which outputs response to client side.
header("X-Frame-Options: DENY");
DENY will fully block. You may try SAMEORIGIN option also.
header("X-Frame-Options: SAMEORIGIN");
If you are using apache web server, you can directly set in httpd.conf also.
<Directory />
...
Header always set X-Frame-Options "SAMEORIGIN"
</Directory>
The X-Frame-Options prevents your site content embedded into other sites. Browser allowed other sites to open web page in iframe. It also secure your Apache web server from clickjacking attack.
There are three options available to set with X-Frame-Options:
‘SAMEORIGIN’ – With this setting, you can embed pages on same origin. For example, add iframe of a page to site itself.
‘ALLOW-FROM uri – Use this setting to allow specific origin (website/domain) to embed pages of your site in iframe.
‘DENY – This will not allow any website to embed your site pages in an iframe.
We have two way to Setup X-Frame-Options
1. with Apache Configuration
2. with .htaccess
with Apache configuration:
Debian based systems: /etc/apache2/conf-enabled/security.conf
Redhat based systems: /etc/httpd/conf/httpd.conf
Header set X-Frame-Options: "SAMEORIGIN" #Allow for Same Origin (Default Action)
Header set X-Frame-Options: "ALLOW-FROM http://example.com/" #Allow from specific origin
Header set X-Frame-Options: "DENY" #Deny to everyone
with .htaccess
Header append X-Frame-Options: "SAMEORIGIN"
How can I add the following security headers to my website?
X-Frame-Options - Protects against Clickjacking attacks
X-XSS-Protection - Mitigates Cross-Site Scripting (XSS) attacks
X-Content-Type-Options - Prevents possible phishing or XSS attacks
Two ways you can add these headers:
Apache Conf or .htaccess File
<IfModule mod_headers.c>
Header set X-Frame-Options "DENY"
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options "nosniff"
</IfModule>
The Apache/htaccess approach is most likely the preferred way. If you add it to your configuration file, which may be in your httpd.conf or it could be in a vhost configuration file (really depends on how the server is setup), you would place it within a <Directory> element. To use .htaccess the configuration for the site must have AllowOverride All. While it's pretty standard, you must have the mod_headers library installed in Apache as well.
PHP
header('X-Frame-Options: DENY');
header('X-XSS-Protection: 1; mode=block');
header('X-Content-Type-Options: nosniff');
With the PHP approach, you will need to write this to every response, so if you do not have a bootstrap that can do this, I'd recommend leveraging either your apache configuration file or the .htaccess file.
For some reason this new host isn't setting htaccess headers, I use 1and1. previously on 000webhost it worked fine.
Is there maybe a difference in apache versions?
This is my htaccess
Header set X-Frame-Options DENY
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options "nosniff"
Header set Content-Security-Policy "script-src 'self' //ajax.googleapis.com"
The .htaccess file only works if it's behind the directory that I use for my website.
e.g.
htdocs/.htaccess
htdocs/folder1/index.php
will now correctly set HTTP headers on 1and1.
I'm using a security scanning tool to check for vulnerabilities of my web application.
One of the results was a low warning about X-Content-Type-Options header being missing.
After some digging around, I found this post on setting apache to emit nosniff headers and I put this code in to httpd.conf file;
<IfModule mod_headers.c>
Header unset ETag
Header set X-Frame-Options: deny
Header set X-XSS-Protection: "1; mode=block"
Header set X-Content-Type-Options: nosniff
Header set X-WebKit-CSP: "default-src 'self'"
Header set X-Permitted-Cross-Domain-Policies: "master-only"
</IfModule>
And it worked! But then, my security scanning tool discovered that the 404 Not Found page on my web server was still giving me this warning. I'm guessing that the 404 error page is set to ignore the above rule somehow..
Can someone explain to me how to change this code or suggest an alternative so that error pages are included?
Could someone also maybe explain what the code above is doing? I don't actually know what IfModule or mod_headers.c actually means. Maybe that's why I'm having trouble in the first place.