I wish you all a good day and a nice start in the Weekend :)
I set the next Headers in htaccess-file:
# Security Headers
<IfModule mod_headers.c>
- Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
- Header set X-Permitted-Cross-Domain-Policies "none"
- Header set X-XSS-Protection "1; mode=block"
- Header set X-Frame-Options "deny"
- Header set X-Content-Type-Options "nosniff"
- Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
- # Header set Content-Security-Policy ...
- Header set Referrer-Policy "no-referrer"
- Header set Feature-Policy "geolocation 'self'; vibrate 'none'"
</IfModule>
but when i scan my Website on "securityheader" it shows all the headers in red color. It means the website is not secure.
I would be so thankful, if someone likes/can show me the error?
Thank you and
Best regards
Related
I would like to add an authorization to my web site through htaccess.
I added this code :
# BEGIN Cache-Control Headers
<ifmodule mod_headers.c>
Header set Access-Control-Allow-Origin: https://www.example.com
Header set Access-Control-Allow-Headers: Special-Request-Header
Header set Access-Control-Allow-Credentials: true
Header set Access-Control-Max-Age: 240
</ifmodule>
# END Cache-Control Headers
But the website give Internal Server Error when I try to add the line below :
Header set Access-Control-Allow-Methods: PUT, POST, OPTIONS
A special authorization is required or it is a syntax error ?
Try with "":
Header set Access-Control-Allow-Methods "PUT, POST, OPTIONS"
I added the
<meta http-equiv="X-Frame-Options" content="deny">
in header.tpl file ,but it not working and throws an error.
X-Frame-Options may only be set via an HTTP header sent along with a document. It may not be set inside .
And I also added the
Header always append X-Frame-Options SAMEORIGIN
line in .htaccess file. But this is also not working.
Then how can I prevent Clickjacking on my Website?
For references : Clickjacking Defense Cheat Sheet | OWASP and X-Frame-Options - HTTP
I suggest you to edit the .htaccess in your PrestaShop root folder installation and, just before the lines identified by "# ~~start~~ Do not remove..." add the following block:
# Extra Security Headers
<IfModule mod_headers.c>
Header set Content-Security-Policy "default-src 'unsafe-inline' 'unsafe-eval' 'self' *.googleapis.com *.gstatic.com;"
Header set X-XSS-Protection "1; mode=block"
Header always append X-Frame-Options SAMEORIGIN
Header set X-Content-Type-Options nosniff
Header set Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
</IfModule>
This will provide protection against:
clickjacking - content sniffing - XSS attacks
I am having problems with my leverage browser caching. It seems that my resources are not fetched from cache and as you can see on the image below some of them are duplicating. I have these meta tag:
<meta http-equiv="Cache-Control" content="private, max-age=216000">
Also I got this on my .htaccess:
<IfModule mod_headers.c>
# Set the cache-control max-age
<FilesMatch ".(ico|pdf|flv|jpg|jpeg|png|gif|js|css|swf)$">
Header set Cache-Control "max-age=172800, public"
</FilesMatch>
# 2 DAYS
<FilesMatch ".(xml|txt)$">
Header set Cache-Control "max-age=172800, public, must-revalidate"
</FilesMatch>
# 4 HOURS
<FilesMatch ".(html|htm)$">
Header set Cache-Control "max-age=14400, must-revalidate"
</FilesMatch>
# Turn off the ETags
Header unset ETag
FileETag None
# Turn off the Last Modified header except for html docs
<FilesMatch ".(ico|pdf|flv|jpg|jpeg|png|gif|js|css)$">
Header unset Last-Modified
</FilesMatch>
Thanks
Ok, as I see from your screenshot, you haven't set any caching headers. Even though you said that you did, I can't see them on screenshot.
Here is an explanation of how caching headers work if you need it, just in case: Cache-Control headers, max-age defined but back button always deliver web cache data
To make caching more efficient, you can load common libraries from public CDNs. For example you can load JQuery from their official CDN: look here
Gidday
I've currently got js files set up as must-revalidate, to overcome mobile networks caching old versions when I do updates.
<FilesMatch ".(js)$">
Header set Cache-Control "max-age=608000"
Header set Cache-Control "must-revalidate"
</FilesMatch>
I have some .js files that I never change, so I was wondering how to go about making an exception for these files?
Thanks for your time and help.
You can add another FilesMatch section for those specific files:
<FilesMatch "\.js$">
Header set Cache-Control "max-age=608000"
Header set Cache-Control "must-revalidate"
</FilesMatch>
# CACHED FOREVER
<FilesMatch "(file1|file2)\.js$">
Header set Cache-Control "public"
Header set Expires "Thu, 15 Apr 2010 20:00:00 GMT"
Header unset Last-Modified
</FilesMatch>
This is my code for cacheing my website in the user's browsers:
## EXPIRES CACHING ##
<IfModule mod_expires.c>
Header unset Pragma
FileETag None
Header unset ETag
# cache images/pdf docs for 30 days
<FilesMatch "\.(ico|pdf|jpg|jpeg|png|gif|js|ttf|woff|eot|svg)$">
Header set Cache-Control "max-age=2592000, public, must-revalidate"
Header unset Last-Modified
</FilesMatch>
# cache html/htm/xml/txt diles for 10 days
<FilesMatch "\.(html|htm|xml|txt|xsl|css|php)$">
Header set Cache-Control "max-age=864000, must-revalidate"
</FilesMatch>
</IfModule>
## EXPIRES CACHING ##
When I check my website's performance on http://developers.google.com/speed/pagespeed/insights/ it doesn't seem like it's getting cache'd.
Is there anything wrong with the code? Or could it have something to do with a deeper server setting?
Thanks!
I solved the issue by installing mod_headers and mod_expires on the server. Quite useful if you're going to use their functions...