Author Topic: Updated Pepster's Place  (Read 3855 times)


PHP Help Forum

Re: Updated Pepster's Place
« Reply #15 on: October 21, 2015, 05:36:41 pm »


Strider64

  • Professional PHP Helper
  • Senior Member
  • *
  • Posts: 946
  • Karma: 77
  • Don't Use mysql....use mysqli or PDO!
    • View Profile
    • Pepster's Place
You will have to test.

But keep in mind, you are setting all the headers in the wrong place. You are doing it in code which comes after apache does its thing. These are server headers, not app headers.

1. Add headers to apache conf = Best Solution
2. Add headers to .htaccess     = Second Best Solution

3. Add to code =??? (I think this is the whole problem. This just isnt where you do it.)

It looks like it's option #2 .htaccess for my ISP doesn't allow changes to the apache conf  :'(
Insanity: doing the same thing over and over again and expecting different results -> https://www.pepster.com

PHP Help Forum

Re: Updated Pepster's Place
« Reply #16 on: October 21, 2015, 05:42:20 pm »


Kevin Rubio

  • Professional PHP Helper
  • Senior Member
  • *
  • Posts: 1844
  • Karma: 108
  • Programmer Available for hire
    • View Profile
    • Galaxy Internet
PDO Bumpstart Database

The XY Problem
The XY problem is asking about your attempted solution (X) rather than your actual problem (Y). This leads to enormous amounts of wasted time and energy, both on the part of people asking for help, and on the part of those providing help. http://xyproblem.info/

PHP Help Forum

Re: Updated Pepster's Place
« Reply #17 on: October 21, 2015, 05:51:39 pm »


Strider64

  • Professional PHP Helper
  • Senior Member
  • *
  • Posts: 946
  • Karma: 77
  • Don't Use mysql....use mysqli or PDO!
    • View Profile
    • Pepster's Place
You might be able to get a VPS for the same money your paying for shared hosting. Look around.

Maybe, until then I'll just add a .htaccess to the website. Thanks again for all the help.
Insanity: doing the same thing over and over again and expecting different results -> https://www.pepster.com

PHP Help Forum

Re: Updated Pepster's Place
« Reply #18 on: October 21, 2015, 08:01:27 pm »


Kevin Rubio

  • Professional PHP Helper
  • Senior Member
  • *
  • Posts: 1844
  • Karma: 108
  • Programmer Available for hire
    • View Profile
    • Galaxy Internet
PDO Bumpstart Database

The XY Problem
The XY problem is asking about your attempted solution (X) rather than your actual problem (Y). This leads to enormous amounts of wasted time and energy, both on the part of people asking for help, and on the part of those providing help. http://xyproblem.info/

PHP Help Forum

Re: Updated Pepster's Place
« Reply #19 on: October 21, 2015, 08:24:43 pm »


Strider64

  • Professional PHP Helper
  • Senior Member
  • *
  • Posts: 946
  • Karma: 77
  • Don't Use mysql....use mysqli or PDO!
    • View Profile
    • Pepster's Place
I'll search through the threads to see if I can locate them.

I came across this link from owasp.org -
http://cyh.herokuapp.com/cyh

and everything checks out OK (Green) except the cookies and fix it in my utilities.inc.php file:
1
2
3
4
5
6
7
 header("Content-Type: text/html; charset=utf-8");
 
header('X-Frame-Options: SAMEORIGIN'); // Prevent Clickjacking:
 
header('X-Content-Type-Options: nosniff');
 
header('x-xss-protection: 1; mode=block');
 
header('Strict-Transport-Security: max-age=31536000; includeSubDomains');
 
header("content-security-policy: default-src 'self'; report-uri /csp_report_parser");
 
header('X-Permitted-Cross-Domain-Policies: master-only');



it's not the greatest solution, but it works. If I ever get the $$$ I'll go over to a VPS.
« Last Edit: October 21, 2015, 09:18:22 pm by Strider64 »
Insanity: doing the same thing over and over again and expecting different results -> https://www.pepster.com

PHP Help Forum

Re: Updated Pepster's Place
« Reply #20 on: October 21, 2015, 09:06:57 pm »


Strider64

  • Professional PHP Helper
  • Senior Member
  • *
  • Posts: 946
  • Karma: 77
  • Don't Use mysql....use mysqli or PDO!
    • View Profile
    • Pepster's Place
I know this is a old topic, but this got in the why over the last 2+ years.  ;D

I finally am moving up the security to the .htaccess file on my website.

Found this website to help me out -
http://www.insertcart.com/how-to-secure-website-made-these-changes-in-htaccess/
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
  <ifModule mod_headers.c>
  
  
# Security improvements
  
Header unset Server
  
#Header unset X-Pingback
  
Header unset Accept-Ranges
  
#
  
<FilesMatch "\.html>
  
	
Header set X-Frame-Options "
SAMEORIGIN"
 #
 
	
BrowserMatch MSIE ie
 
	
Header set Imagetoolbar "
no" env=ie
 
	
Header set X-Content-Type-Options "
nosniff" env=ie
 
	
Header set X-UA-Compatible "
IE=edge" env=ie
 
	
Header set X-XSS-Protection "
1;mode=block" env=ie
 
	
Header set X-Content-Security-Policy "
default-src 'self'img-src 'self' analytics.example.com; \
 
	
	
	
script-src 'self' analytics.example.com ajax.googleapis.comfont-src 'self' data:" env=ie
 #
 
	
BrowserMatch Firefox ff
 
	
Header set Content-Security-Policy "
default-src 'self'img-src 'self' analytics.example.com; \
 
	
script-src 'self' analytics.example.com ajax.googleapis.com; \
 
	
font-src 'self' data:" env=ff
 #
 
	
BrowserMatch SAFARI safari
 
	
Header set X-XSS-Protection "
1;mode=block" env=safari
 
	
Header set X-WebKit-CSP "
default-src 'self'img-src 'self' analytics.example.com; \
 
	
	
	
script-src 'self' analytics.example.com ajax.googleapis.comfont-src 'self' data:" env=safari
 #
 
	
BrowserMatch CHROME ch
 
	
Header set X-Content-Type-Options "
nosniff" env=ch
 
	
Header set X-WebKit-CSP "
default-src 'none'img-src 'self' analytics.example.com; \
 
	
	
	
script-src 'self' analytics.example.com ajax.googleapis.comfont-src 'self' data:" env=ch
 #
 
	
BrowserMatch chromeframe chf
 
	
Header set Imagetoolbar "
no" env=chf
 
	
Header set X-Content-Type-Options "
nosniff" env=chf
 
	
Header set X-UA-Compatible "
IE=edge,chrome=1" env=chf
 
	
Header set X-XSS-Protection "
1;mode=block" env=chf
 
	
Header set X-WebKit-CSP "
default-src 'none'img-src 'self' analytics.example.com; \
 
	
	
	
script-src 'self' analytics.example.com ajax.googleapis.comfont-src 'self' data:" env=chf
 </FilesMatch>
 
 </IfModule>


Insanity: doing the same thing over and over again and expecting different results -> https://www.pepster.com

PHP Help Forum

Re: Updated Pepster's Place
« Reply #21 on: June 27, 2017, 12:37:26 pm »