Bertie Posted December 10, 2019 Share Posted December 10, 2019 Hi all, Not sure if this is the right place but was wondering if anyone else has looked into implementing security headers into an .htaccess or one of the other ways for their WHMCS installations? For example Content Security Policy header to protect from XSS attacks etc. If you have - Did it go well or was there limitations on what you could implement due to XYZ? Cheers, 0 Quote Link to comment Share on other sites More sharing options...
jeffuk Posted August 16, 2022 Share Posted August 16, 2022 (edited) Did you ever get anywhere with this? I am looking to protect x-frame-by-pass by adding frame-ancestors 'self' Edited August 16, 2022 by jeffuk 0 Quote Link to comment Share on other sites More sharing options...
hiya.digital Posted May 13, 2023 Share Posted May 13, 2023 Hello, I tried to implement security headers (after scan on securityheaders.com) and all pages with forms had issues like contact forms, filters on product pages etc. did not work as expected. Here's what I have used: <IfModule mod_headers.c> Header set X-XSS-Protection "1; mode=block" Header set X-Frame-Options "SAMEORIGIN" Header set X-Content-Type-Options "nosniff" Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains" Header set Referrer-Policy "strict-origin" Header set Feature-Policy "geolocation 'self'; vibrate 'none'" Header set Permissions-Policy "geolocation=self" Header set Content-Security-Policy "default-src https:; font-src https: data:; img-src https: data:; script-src https:; style-src https:;" </IfModule> Any help/guidance to tweak above to make forms work smoothly will be highly appreciated. 0 Quote Link to comment Share on other sites More sharing options...
WHMCS Support Manager WHMCS John Posted September 14, 2023 WHMCS Support Manager Share Posted September 14, 2023 Hello, The WHMCS application has built-in protections against XSS and other potential security concerns implied here. For this reason we do not have specific webserver-hardening recommendations for systems running WHMCS. May I suggest following general best-practice for hardening your webserver, I located the following guide which speaks to configuring some of these directives in common webserver configurations: https://webdock.io/en/docs/how-guides/security-guides/how-to-configure-security-headers-in-nginx-and-apache 0 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.