Updated Pepster's Place


#21

I’ll search through the threads to see if I can locate them.

I came across this link from owasp.org - http://cyh.herokuapp.com/cyh

and everything checks out OK (Green) except the cookies and fix it in my utilities.inc.php file:
[php]header(“Content-Type: text/html; charset=utf-8”);
header(‘X-Frame-Options: SAMEORIGIN’); // Prevent Clickjacking:
header(‘X-Content-Type-Options: nosniff’);
header(‘x-xss-protection: 1; mode=block’);
header(‘Strict-Transport-Security: max-age=31536000; includeSubDomains’);
header(“content-security-policy: default-src ‘self’; report-uri /csp_report_parser”);
header(‘X-Permitted-Cross-Domain-Policies: master-only’);[/php]

it’s not the greatest solution, but it works. If I ever get the $$$ I’ll go over to a VPS.


#22

I know this is a old topic, but this got in the why over the last 2+ years. ;D

I finally am moving up the security to the .htaccess file on my website.

Found this website to help me out - http://www.insertcart.com/how-to-secure-website-made-these-changes-in-htaccess/
[php]

Security improvements

Header unset Server
#Header unset X-Pingback
Header unset Accept-Ranges

<FilesMatch ".html>
Header set X-Frame-Options “SAMEORIGIN”

BrowserMatch MSIE ie
Header set Imagetoolbar "no" env=ie
Header set X-Content-Type-Options "nosniff" env=ie
Header set X-UA-Compatible "IE=edge" env=ie
Header set X-XSS-Protection "1;mode=block" env=ie
Header set X-Content-Security-Policy "default-src 'self'; img-src 'self' analytics.example.com; \
		script-src 'self' analytics.example.com ajax.googleapis.com; font-src 'self' data:" env=ie

BrowserMatch Firefox ff
Header set Content-Security-Policy "default-src 'self'; img-src 'self' analytics.example.com; \
script-src 'self' analytics.example.com ajax.googleapis.com; \
font-src 'self' data:" env=ff

BrowserMatch SAFARI safari
Header set X-XSS-Protection "1;mode=block" env=safari
Header set X-WebKit-CSP "default-src 'self'; img-src 'self' analytics.example.com; \
		script-src 'self' analytics.example.com ajax.googleapis.com; font-src 'self' data:" env=safari

BrowserMatch CHROME ch
Header set X-Content-Type-Options "nosniff" env=ch
Header set X-WebKit-CSP "default-src 'none'; img-src 'self' analytics.example.com; \
		script-src 'self' analytics.example.com ajax.googleapis.com; font-src 'self' data:" env=ch

BrowserMatch chromeframe chf
Header set Imagetoolbar "no" env=chf
Header set X-Content-Type-Options "nosniff" env=chf
Header set X-UA-Compatible "IE=edge,chrome=1" env=chf
Header set X-XSS-Protection "1;mode=block" env=chf
Header set X-WebKit-CSP "default-src 'none'; img-src 'self' analytics.example.com; \
		script-src 'self' analytics.example.com ajax.googleapis.com; font-src 'self' data:" env=chf

[/php]