I am trying to make edits to my header, so I can add things such as:
X-Content-Type-Options: nosniff
The problem is that I can't find the header file to actually add that to.
The website I am working on is academyofperformancearts.com if that helps.
By the way, you could just install a plugin that adds the header you need. For instance Security Headers can
exposes controls for:
HSTS (Strict-Transport-Security)
HPKP (Public-Key-Pins)
Disabling content sniffing (X-Content-Type-Options)
XSS protection (X-XSS-Protection)
Clickjacking mitigation (X-Frame-Options in main site)
Related
I have added the following line in my .htaccess file to set the HSTS header
Header always set Strict-Transport-Security "max-age=63072000;includeSubDomains;"
To test the HSTS header, I have done the below steps:
Access the application in the chrome browser
Open the developer tool and check the HSTS header in the Response headers
The first time when I access the application and verified it in the developer tool, I could see the HSTS header in all the PHP files, image files, CSS files, and JS files.
Again when I load the application, I could see images, CSS, and JS files are loaded from the memory/disk cache and these files are missing the HSTS header in response headers.
However, PHP files still shows the HSTS header in the reponse headers.
Missing HSTS header in the resource files(image/CSS/JS files) is accepted? OR It is considered as security hole? If so how can I fix this?
Thank you in advance
The idea behind an HSTS header is that content is always downloaded over an encrypted connection.
Once the files are downloaded and put in your memory/disk cache they are no longer encrypted.
When your browser gets the files from memory/disk cache they also don't need to be downloaded over any connection. The memory/disk cache is a trusted resource. That's why the HSTS header is not needed.
I did not explicitly set anywhere in nginx the x-frame-options to sameorigin but nginx is blocking the html page rendered inside an iframe. Tried specifying the domain in the X-Frame-Options but no luck. Giving several errors in the console if that helps. I read through them and tried fixes but not working.
https://preview.codecanyon.net/item/product-name/product-id
It previews my HTML page in an iframe.
The problem is not about X-Frame-Options but Content-Security-Policy also. Codecanyon set an CSP header that prevent the other sites can frame in their site. Even you allow all sites in your XFO header, they can block your site display in their website with CSP header.
But they are a market, they have to open a way for developer to include an iframe in their preview page. Seems they're not implemented a way for developer provide frame-src in preview page. So Codecanyon's CSP header is in Report only mode. All things is running fine although a lot of error you see from Chrome Developer Console.
By the way, you implemented an syntax error CSP header: unexpected punctuation at the start.
If it helps, I later figured out that setting frame-ancestors to that specific domain allowed that domain to show the page in an iframe. You can do that in the nginx config file.
I found 3 websites that are iframing my website. At first I thought they just copied my theme and are scraping my content. But when I edit my homepage their homepage also changes too automatically.
How can I prevent them from iframing my website. They are using up my server resources and ranking on google also.
What I did so far. (to some extend hindered them from showing my website)
I enabled "Under Attack Mode" on cloudflare which is showing "Checking your browser" repeatedly (https://imgur.com/a/6TpyLyU).
Although there are some iframe buster scripts, you'll be better off adding the X-Frame-Options header to your responses:
X-Frame-Options: deny
X-Frame-Options: sameorigin
X-Frame-Options: allow-from https://example.com/
When the browser see's these headers, it will stop from loading your website if it was requested from an iframe.
Update
After better explanation of the problem, this problem can be solved by adding a javascript redirect.
if (window.top.location.href.indexOf("original-website.com") !== -1){
window.location.href = "http://original-website.com"
}
Having issues with iframes (have no control as these come with the system I have) and the cross-site stuff.
Have added the usual X-Frame-Options to my .htaccess file to include the directive to allow it to allow the iframe from this other system that wants to iframe the site. No problem at first.
<IfModule mod_headers.c>
Header always set X-Frame-Options "ALLOW-FROM https://otherhost"
</IfModule>
And I can confirm that the above is taking effect as I have messed with the header content and it is reflected.
For some reason, I keep seeing the header X-Frame-Options ALLOW-FROM https://otherhost, SAMEORIGIN with this additional SAMEORIGIN, which of course is not valid and fails within the browsers, ultimately resulting in the browser falling back to DENY, which then means the iframe is not shown.
The apache2 specs states for the set option, that;
The response header is set, replacing any previous header with this name. The value may be a format string.
Yet I do not see it replacing the string. If I curl the login page, it presents correctly, if I inspect it in the chrome/safari inspector, it shows the additional , SAMEORIGIN and then complains that it's not valid.
I've even tried using the unset option for the Header directive, but it still keeps producing this header.
Is the Header directive post or pre output? as this is driving me nuts and wasting so much time for a simple thing.
I have built a widget using the Fat-Free Framework for a client that should make their life easier, but they also requested that their website is created using Wix. I thought it would be easy to embed this F3 site within the Wix site using their embedding plugins (there are built-in and plug-in versions).
The problem is that regardless of the answers I have received so far on SO and other sites, I still get an X-Frame-Options is set to SAMEORIGIN error. I have tried the following:
header_remove() php command
header('X-Frame-Options: GOFORIT') php command (GOFORIT is for anything but SAMEORIGIN and DENY)
adding &output=embed to the link (this didn't work with F3)
adding the following htaccess code:
Header always append X-Frame-Options SAMEORIGIN
Header set Access-Control-Allow-Origin: "http://editor.wix.com"
Header set Access-Control-Allow-Origin: "http://www.wix.com"
I am afraid that the Wix embed plug-in will be a bit limited and I won't be able to change much on that end. Any ideas what to try next? Is there some configuration for F3 that will help this problem or am I using the PHP code wrong? Does anything need to be configured on the Wix site? Thanks for any help.
Try to set the XFRAME option for the framework:
$f3->set('XFRAME','GOFORIT');
https://github.com/bcosca/fatfree-core/blob/master/base.php#L2153
I didn't look into my .htaccess file. There was the line Header append X-FRAME-OPTIONS "SAMEORIGIN" in there along with some allows for Wix. Simply removing the append line allowed it to be embed.