Updated Pepster's Place


#1

I’m slowly updating my website http://www.pepster.com and I’m starting to get it in the direction that I wanting to go with it. It’s still not done and I have a lot of features and fine tuning that I want to do with it. Some top navigation buttons aren’t even implemented yet, but eventually will.


#2

You should hide your PHP version. It is a security risk.

expose_php = Off

& should be & in the url links

registerPage.php has duplicate ID register

Your div in the table in high_scores.php is not valid. What you want there is and then style it with CSS

Minor, but images missing alt tags

Site looks nice an clean. I like it


#3

Just waking up so this is probably a stupid question, How do I turn off the php version?


#4

the setting is in your php.ini

Look for the line I posted


#5

I know where my php.ini file is on my local server, but I’m having a heck of a time finding/editing on my remote server (1and1.com). I must be having some kind of big brain fart going on. ;D

It was a brain fart, it pays to read more carefully, I simply have to upload my own php.ini file to override the default. :-\ I wish I was 20 years younger. :-\


#6

So freaking cool…[size=24pt]Thank You[/size] for pointing the out.

Here’s a nice quick link to see if the php version is showing or not. https://redbot.org/?


#7

For additional security you should also add X-Content-Type-Options, X-XSS-Protection and set X-CONTENT-SECURITY-POLICY


#8

Well I think I covered all the bases with this
[php]if ($_SERVER[“SERVER_NAME”] != “localhost”) {
if ($_SERVER[“HTTPS”] != “on”) { // Redirect to a secure website ( https )
header(“Location: https://www.pepster.com”);
header(“Content-Type: text/html; charset=utf-8”);
header(‘X-Frame-Options: SAMEORIGIN’); // Prevent Clickjacking:
header(“X-XSS-Protection: 0”);
header(“Content-Security-Policy: default-src ‘self’; script-src ‘self’;”); // FF 23+ Chrome 25+ Safari 7+ Opera 19+
header(“X-Content-Security-Policy: default-src ‘self’; script-src ‘self’;”); // IE 10+
exit();
}
}
// Adds the HTTP Strict Transport Security (HSTS) (remember it for 1 year)
$isHttps = !empty($_SERVER[‘HTTPS’]) && strtolower($_SERVER[‘HTTPS’]) != ‘off’;
if ($isHttps)
{
header(‘Strict-Transport-Security: max-age=31536000’); // FF 4 Chrome 4.0.211 Opera 12
}[/php]
It’s without saying that this part of the code has to be at the top of the php file, otherwise it won’t run. :wink:

it checks out with https://redbot.org/?uri=http%3A%2F%2Fwww.pepster.com
and I have tested it out on the server so far so good. I need to fiter the server input, but that just a minor fix. I posted this for others who are doing a website in php. If I didn’t program in php I would had done it in a .htaccess file. Thanks for the help and info. John


#9

Optimally you want those headers in the server conf, then it is system wide, but that requires root access.

You missed X-Content-Type-Options. All other perimeter checks you have a green light.

Your X-XSS-Protection should be 1. You turned it off.

0 - Disables the XSS Protections offered by the user-agent.
1 - Enables the XSS Protections
1; mode=block - Enables XSS protections and instructs the user-agent to block the response in the event that script has been inserted from user input, instead of sanitizing.


#10

The file is server wide root wise, though it would probably be better if it was in a .htaccess file? However since I program in PHP this shouldn’t be a problem . I thought XSS Protections looked funny…that’s what kind of misleading info on the internet. Thanks for pointing that out.


#11

I just noticed you had https as well. You have a security mess on that side. Not sure if its because of the way you implemented the security stuff.


#12

How would I go about doing that? I’m assuming it has something to do with my ISP and certificate? I see a green lock, so I really can’t tell what’s messed up? I’ll look into after dinner.


#13

Do you ave access to the ssl conf?
*EDIT: I am thinking if you had put the fixes in the standard server conf file that it would cover both http and ssl. I dont have ssl sites so I cant test.


#14

–> oops hit modify when I mean quote. :smiley:
I’m an idiot ---->
[php]if ($_SERVER[“HTTPS”] != “on”) { // Redirect to a secure website ( https )
header(“Location: https://www.pepster.com”);
header(“Content-Type: text/html; charset=utf-8”);
header(‘X-Frame-Options: SAMEORIGIN’); // Prevent Clickjacking:[/php]

none of the headers are going to the regular http file…I think if I pull them out with the exception of the https header of the if statement it would solve most of the problem?


#15

Nope…that wasn’t it.

Hmm…going to have think of something else… :’(


#16

You will have to test.

But keep in mind, you are setting all the headers in the wrong place. You are doing it in code which comes after apache does its thing. These are server headers, not app headers.

  1. Add headers to apache conf = Best Solution

  2. Add headers to .htaccess = Second Best Solution

  3. Add to code =??? (I think this is the whole problem. This just isnt where you do it.)


#17

It looks like it’s option #2 .htaccess for my ISP doesn’t allow changes to the apache conf :’(


#18

You might be able to get a VPS for the same money your paying for shared hosting. Look around.


#19

Maybe, until then I’ll just add a .htaccess to the website. Thanks again for all the help.


#20

Sure thing, but I am still waiting for an answer to two questions I had asked you about a couple things you posted. No idea what posts or even what the questions where but it was in the last week or two.