• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

XF 1.4 Security Alerts

#1
Hi All

I have installed Xenoforo and its running well, though after setting everything up we ran a vulnerability scanner on our site (unfortunately we have been seriously hacked in the past and left a tad paranoid), a couple of high warnings issued:

High Alerts:
GET /community/index.php
-Cleartext Password over HTTP
-solution: Passwords should never be sent over cleartext. The form should submit to an HTTPS target.

GET /community/
-Session Cookie Without Secure Flag
Solution: When creating the cookie in the code, set the secure flag to true.

Medium Alerts:
None

Our php is tight, our linux server stripped down to the bare essential bones, it would be great to know we are safe with Xenforo... Does anyone else ever have problems of security, indeed any pointers on how to remedy these alerts appreciated.

Many thanks
Pete
 

Chris D

XenForo developer
Staff member
#2
These errors are mostly expected if your site URL begins with http:// rather than https://

To run your site over https you will need to obtain an SSL certificate, and configure the web server to redirect non-SSL requests to SSL.
 
Last edited: