We recommend to add the following CSP directives (you can use default-src if all values are the same): script-src, object-src, base-uri, frame-src
try to block executing scripts added in content (i.e. page, buzz, project description, comment etc)
Use "report-uri" to log failed requests. Endpoint to send report json to: https://report-uri.com/#prices (free up to 10.000 requests per month); when testing in production use "report-only" to send reports to URL endpoint what would be blocked by set CSP rules.
Leaked PHP version. Your site is displaying your PHP version in the HTTP headers. Please set expose_php = Off.
Some recommendations from Sucuri:
Missing security header for ClickJacking Protection. Alternatively, you can use Content-Security-Policy: frame-ancestors 'none'.
.htaccess
file - on server sideMissing security header to prevent Content Type sniffing.
.htaccess
file - on server sideMissing Strict-Transport-Security security header
Missing Content-Security-Policy directive.
Leaked PHP version. Your site is displaying your PHP version in the HTTP headers. Please set expose_php = Off.
Check full report at: https://sitecheck.sucuri.net/results/codeforphilly.org (same results are for other Laddr instances)