Security & Headers, Adding a few layers of security

2

Thu May 06, 2021 7:50 pm
Clan Leader
Top Dog
2631 Posts
coRpSE
Online
Most Played:
This week: 81.1hrs.
Total Played: 161hrs.
  
There is life outside of the game.
Very recently, I have been learning about Headers and what I can use them for. I started learning about them due to a new system that Google is coming out with called Google FLoC, or Federated Learning of Cohorts (FLoC). I am not going to go into details on what that is, but if you want to know more, check out the links below.
Please login to see this link
Get registered or Log in
Please login to see this link
Get registered or Log in


But while looking for a way to block this, one of the suggestions to block was for those of us that have our websites on Apache. Well, how do you know if you site is running Apache. Easy, usually you can see it in the details on the backend of your website, sometimes your host will tell you if you are or are not, but the other big giveaway is if your site uses the .htaccess file. If your site does use it, then you are on an Apache server.

Another way is to create a blank php file on your desktop and put this little bit of code into it and run it, when everything comes up, at the top, it will say something like "Server Software:, and if it says Apache, then your good, but if it's empty, do a search for "Apache", if it says anything in there about it, there is a good chance your running Apache. If your running IIS, Nginx, ect..., anything other than apache, then you will need to look up and research on your own how to implement these headers. Most webhost I have come upon use Apache and I only can remember 1, maybe 2 that did not use Apache.

Well, enough of that. What I learned besides how to protect others from the Google FLoC, was also that there are some security headers that you should put in place to not only help secure up your website, but also protect your users that come to your site.

Well, how do I know if I already have these in place?
Easy, just go to this site and in the search, but in your website, (using the https or http). You will be given a rating of A+ - F, (F is failed).

Website:
Please login to see this link
Get registered or Log in


Now what, I didn't get an A or A+? What do I do now?
Simple, open up your .htaccess file found in the root of your site, copy the code below and place it in there. If you are like me and using the .htaccess that comes with the CMS, then place it just above the:

# -------------------------------------------
# Lazy Google Tap
# -------------------------------------------

If you are not using the .htaccess that comes with the CMS, then you are missing out on some caching stuff that helps your site run faster. But overall, you could be able to place it anywhere you want in there under RewriteEngine on if you have that

Code: [ Select all ]

# -------------------------------------------
#  Security Headers
# -------------------------------------------
# Disable Google FLoC
Header always set Permissions-Policy: interest-cohort=()

# Other Security headers
Header always set Strict-Transport-Security: "max-age=31536000" env=HTTPS
Header always set Content-Security-Policy "upgrade-insecure-requests"
Header always set X-Content-Type-Options "nosniff"
Header always set X-XSS-Protection "1; mode=block"
Header always set Expect-CT "max-age=7776000, enforce"
Header always set Referrer-Policy: "no-referrer-when-downgrade"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set Feature-Policy: "microphone 'none'; camera 'none'; geolocation 'none'"


Now, if you are runing a custom .htaccess file as I know some of you are, if you have a section where you see <IfModule>, then you can paste the above code before the </IfModule>, or anywhere inbetween the <IfModule> and </IfModule>.

::NOTE:: If you don't have <IfModule>, then you want to use the below code:

Code: [ Select all ]

# -------------------------------------------
#  Security Headers
# -------------------------------------------
<IfModule>
# Disable Google FLoC
Header always set Permissions-Policy: interest-cohort=()

# Other Security headers
Header always set Strict-Transport-Security: "max-age=31536000" env=HTTPS
Header always set Content-Security-Policy "upgrade-insecure-requests"
Header always set X-Content-Type-Options "nosniff"
Header always set X-XSS-Protection "1; mode=block"
Header always set Expect-CT "max-age=7776000, enforce"
Header always set Referrer-Policy: "no-referrer-when-downgrade"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set Feature-Policy: "microphone 'none'; camera 'none'; geolocation 'none'"
</IfModule>


Thank-you to Dirtdog for pointing this oversight out.

Just putting in that code above will help you protect your site and your visitors. If you want to know more about what each one does, that site from above to check the headers, if you scroll down a bit after you scan your site and see the score, you should see the info about each. They are in a section titled, "Additional Information".

The one big issue I found with that site is that they are saying to use Permission-policy instead of Featured-Policy, but I don't recommend it since Permissions-Policy is currently not supported by anyone except a couple chromium-based browsers, like Chrome and Edge, and even then, it's in test phase only.

Once you put these in, you should get at minimum an A, if you don't have an SSL certificate, (https://), that's the best your going to get. If you have an SSL certificate, you should get an A+.


Expand
Forums ©