Jump to content

Security Headers


Bertie

Recommended Posts

Hi all,

Not sure if this is the right place but was wondering if anyone else has looked into implementing security headers into an .htaccess or one of the other ways for their WHMCS installations? For example Content Security Policy header to protect from XSS attacks etc. 

If you have - Did it go well or was there limitations on what you could implement  due to XYZ? 

Cheers, 

 

Link to comment
Share on other sites

  • 2 years later...
  • 8 months later...

Hello, 

I tried to implement security headers (after scan on securityheaders.com) and all pages with forms had issues like contact forms, filters on product pages etc. did not work as expected.  

Here's what I have used:

<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-Content-Type-Options "nosniff"
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
Header set Referrer-Policy "strict-origin"
Header set Feature-Policy "geolocation 'self'; vibrate 'none'"
Header set Permissions-Policy "geolocation=self"
Header set Content-Security-Policy "default-src https:; font-src https: data:; img-src https: data:; script-src https:; style-src https:;"
</IfModule>

Any help/guidance to tweak above to make forms work smoothly will be highly appreciated. 

Link to comment
Share on other sites

  • 4 months later...
  • WHMCS Support Manager

Hello,

The WHMCS application has built-in protections against XSS and other potential security concerns implied here. For this reason we do not have specific webserver-hardening recommendations for systems running WHMCS.

May I suggest following general best-practice for hardening your webserver, I located the following guide which speaks to configuring some of these directives in common webserver configurations: https://webdock.io/en/docs/how-guides/security-guides/how-to-configure-security-headers-in-nginx-and-apache

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated