XF 2.0 HTTP Security Headers

[Nirjonadda]

I want to secure website from Headers Policy. Please let me know that does Xenforo compatible/supported or no issue from enable HTTP Security Headers? I have issue from Content Security Policy, Xenforo style go broken if enable CSP, I am now disabled CSP. Please let me know that how I can re-enable CSP?


HTTP Security Headers via .htaccess

RewriteEngine On

# Force www:
RewriteCond %{HTTP_HOST} !^$
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteCond %{HTTPS}s ^on(s)|
RewriteRule ^ http%1://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

# Force SSL:
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

# Security header Enable HSTS
Header set Strict-Transport-Security "max-age=31536000" env=HTTPS

# Security header Enable CSP
# Header set Content-Security-Policy "default-src 'self'"

# Turn on IE8-IE9 XSS prevention tools
Header set X-XSS-Protection "1; mode=block"

# Referrer-Policy
Header set Referrer-Policy "no-referrer-when-downgrade"

All HTTP Security, Simple Ways to Secure Your Website ...

RewriteEngine On

# Force SSL:
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# Force www:
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}%{REQUEST_URI} [E=HTTPS,R=301,L]

# Security header Enable HSTS
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS

# Security header Enable CSP
# Header always set Content-Security-Policy "default-src 'self'"

# Turn on IE8-IE9 XSS prevention tools
Header always set X-XSS-Protection "1; mode=block"

# Referrer-Policy
Header always set Referrer-Policy "no-referrer-when-downgrade"

# HTTP Public Key Pinning
Header always set Public-Key-Pins "pin-sha256=\"base64+primary==\"; pin-sha256=\"base64+backup==\"; max-age=5184000; includeSubDomains"

# Secure cookie with HttpOnly
Header always edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

# X-Permitted-Cross-Domain-Policies
Header always set X-Permitted-Cross-Domain-Policies "none"

 

[Tealk]

Hi,

if I set the following settings I can't use xenforo anymore

Content-Security-Policy "default-src 'self'

I don't understand what's being blocked that nothing works anymore
if I try to search a temple in acp I get the message Oops! We ran into some problems. Security error occurred. Please press back, refresh the page, and try again.

 

[ŽivaAkcija]

does work with xf1

 

[Nirjonadda]

I have issue from Content Security Policy, Xenforo style go broken if enable CSP, I am now disabled CSP. Please let me know that how I can re-enable CSP?

CSP are not compatible with Xenforo. So I am asked to xenforo support but no response happened. Asking to @Mike That how we can use CSP?

 

[ŽivaAkcija]

any tutorial for xf 1.5

 

[Nirjonadda]

Hi,

if I set the following settings I can't use xenforo anymore

Content-Security-Policy "default-src 'self'

I don't understand what's being blocked that nothing works anymore
if I try to search a temple in acp I get the message Oops! We ran into some problems. Security error occurred. Please press back, refresh the page, and try again.

any tutorial for xf 1.5

Same rules but Content-Security-Policy are not compatible with Xenforo.

 

[ŽivaAkcija]

in my htaccess got this one, anything to change it or add it?

#    Mod_security can interfere with uploading of content such as attachments. If you
#    cannot attach files, remove the "#" from the lines below.
#<IfModule mod_security.c>
#    SecFilterEngine Off
#    SecFilterScanPOST Off
#</IfModule>

ErrorDocument 401 default
ErrorDocument 403 default
ErrorDocument 404 default
ErrorDocument 405 default
ErrorDocument 406 default
ErrorDocument 500 default
ErrorDocument 501 default
ErrorDocument 503 default

<IfModule mod_rewrite.c>
    RewriteEngine On

    #    If you are having problems with the rewrite rules, remove the "#" from the
    #    line that begins "RewriteBase" below. You will also have to change the path
    #    of the rewrite to reflect the path to your XenForo installation.
    #RewriteBase /xenforo

    #    This line may be needed to enable WebDAV editing with PHP as a CGI.
    #RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

    RewriteCond %{REQUEST_FILENAME} -f [OR]
    RewriteCond %{REQUEST_FILENAME} -l [OR]
    RewriteCond %{REQUEST_FILENAME} -d
    RewriteRule ^.*$ - [NC,L]
    RewriteRule ^(data/|js/|styles/|install/|favicon\.ico|crossdomain\.xml|robots\.txt) - [NC,L]
    RewriteRule ^.*$ index.php [NC,L]
</IfModule>

<IfModule mod_deflate.c>
  # Compress HTML, CSS, JavaScript, Text, XML and fonts
  AddOutputFilterByType DEFLATE application/javascript
  AddOutputFilterByType DEFLATE application/rss+xml
  AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
  AddOutputFilterByType DEFLATE application/x-font
  AddOutputFilterByType DEFLATE application/x-font-opentype
  AddOutputFilterByType DEFLATE application/x-font-otf
  AddOutputFilterByType DEFLATE application/x-font-truetype
  AddOutputFilterByType DEFLATE application/x-font-ttf
  AddOutputFilterByType DEFLATE application/x-javascript
  AddOutputFilterByType DEFLATE application/xhtml+xml
  AddOutputFilterByType DEFLATE application/xml
  AddOutputFilterByType DEFLATE font/opentype
  AddOutputFilterByType DEFLATE font/otf
  AddOutputFilterByType DEFLATE font/ttf
  AddOutputFilterByType DEFLATE image/svg+xml
  AddOutputFilterByType DEFLATE image/x-icon
  AddOutputFilterByType DEFLATE text/css
  AddOutputFilterByType DEFLATE text/html
  AddOutputFilterByType DEFLATE text/javascript
  AddOutputFilterByType DEFLATE text/plain
  AddOutputFilterByType DEFLATE text/xml

  # Remove browser bugs (only needed for really old browsers)
  BrowserMatch ^Mozilla/4 gzip-only-text/html
  BrowserMatch ^Mozilla/4\.0[678] no-gzip
  BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
  Header append Vary User-Agent
</IfModule>

<ifModule mod_expires.c>
     ExpiresActive On
     ############################################
     ## Add default Expires header
     ## http://developer.yahoo.com/performance/rules.html#expires
     <FilesMatch "\.(ico|pdf|flv|jpg|jpeg|png|gif|js|css|swf)$">
     ExpiresDefault "access plus 1 year"
     </FilesMatch>
     </ifModule>

 

[Nirjonadda]

anything to change it

No, Just add top your htaccess files.

 

[ŽivaAkcija]

No, Just add top your htaccess files.

how to do that?

 

[Nirjonadda]

how to do that?

Above the line in your htaccess files.

 

[ŽivaAkcija]

what code to add?

 

[Jeremy P]

There's a Firefox extension that can assist in generating a CSP for a website: https://addons.mozilla.org/en-US/firefox/addon/laboratory-by-mozilla/

In general, you should make sure you understand what you're doing though or you can end up breaking your site in weird ways. I'm not entirely sure it's worthwhile at this point anyways. XF uses inline JS without any nonce attributes, which I think invalidates some of the biggest potential security gains of CSP.

 

[Tealk]

CSP are not compatible with Xenforo.

 

[Onlyme]

Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' https://mydomain.com;”

Arrowchat stopped working but everything else seems fine.

 

[dethfire]

I tried adding Content-Security-Policy and the "you're using an incompatible browser" notice flashes and disappears every refresh. Really odd.

 

[Nirjonadda]

I tried adding Content-Security-Policy and the "you're using an incompatible browser" notice flashes and disappears every refresh. Really odd.

This code from @Ozzy and work for Xenforo forum ...

# Content Security Policy #
Header set Content-Security-Policy: "default-src blob: * data: 'unsafe-inline' 'unsafe-hashes'"

 

[Mr. Jinx]

It might work, but is not safe at all and totally bypasses the effects of a good CSP.
Getting a valid CSP is frustrating difficult!

You could try to use the wizard from https://report-uri.com
It will detect a valid CSP, but you will see that this is very complicated if you are using inline scripting and external sources.

 

[Nirjonadda]

Also this work for Xenforo.

Header set Content-Security-Policy "upgrade-insecure-requests"