Security Headers

[Bertie]

Hi all,

Not sure if this is the right place but was wondering if anyone else has looked into implementing security headers into an .htaccess or one of the other ways for their WHMCS installations? For example Content Security Policy header to protect from XSS attacks etc. 

If you have - Did it go well or was there limitations on what you could implement  due to XYZ? 

Cheers, 

 

[jeffuk]

Did you ever get anywhere with this? 

I am looking to protect  x-frame-by-pass by adding frame-ancestors 'self'

Edited August 16, 2022 by jeffuk

[hiya.digital]

Hello, 

I tried to implement security headers (after scan on securityheaders.com) and all pages with forms had issues like contact forms, filters on product pages etc. did not work as expected.  

Here's what I have used:

<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-Content-Type-Options "nosniff"
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
Header set Referrer-Policy "strict-origin"
Header set Feature-Policy "geolocation 'self'; vibrate 'none'"
Header set Permissions-Policy "geolocation=self"
Header set Content-Security-Policy "default-src https:; font-src https: data:; img-src https: data:; script-src https:; style-src https:;"
</IfModule>

Any help/guidance to tweak above to make forms work smoothly will be highly appreciated. 

[WHMCS John]

Hello,

The WHMCS application has built-in protections against XSS and other potential security concerns implied here. For this reason we do not have specific webserver-hardening recommendations for systems running WHMCS.

May I suggest following general best-practice for hardening your webserver, I located the following guide which speaks to configuring some of these directives in common webserver configurations: https://webdock.io/en/docs/how-guides/security-guides/how-to-configure-security-headers-in-nginx-and-apache