XF 1.4 Security Alerts

Hi All

I have installed Xenoforo and its running well, though after setting everything up we ran a vulnerability scanner on our site (unfortunately we have been seriously hacked in the past and left a tad paranoid), a couple of high warnings issued:

High Alerts:
GET /community/index.php
-Cleartext Password over HTTP
-solution: Passwords should never be sent over cleartext. The form should submit to an HTTPS target.

GET /community/
-Session Cookie Without Secure Flag
Solution: When creating the cookie in the code, set the secure flag to true.

Medium Alerts:

Our php is tight, our linux server stripped down to the bare essential bones, it would be great to know we are safe with Xenforo... Does anyone else ever have problems of security, indeed any pointers on how to remedy these alerts appreciated.

Many thanks

Chris D

XenForo developer
Staff member
These errors are mostly expected if your site URL begins with http:// rather than https://

To run your site over https you will need to obtain an SSL certificate, and configure the web server to redirect non-SSL requests to SSL.
Last edited: