search

securityheaders / securityheaders-bugs

Bug tracker for https://securityheaders.io
20 stars 0 forks source link

Security headers not detected, "F" score #91

Open mrmatteastwood opened 3 years ago

mrmatteastwood commented 3 years ago

The following security headers are present in the .htaccess file for kait-solutions.de and snapflux.com:

# BEGIN HTTP Security Headers
<IfModule mod_headers.c>
    # HSTS - force redirect to HTTPS at the browser level.
    # Submit for Chrome preload list at https://hstspreload.appspot.com/
    Header set Strict-Transport-Security: "max-age=63072000; includeSubDomains; preload"

    # X-Xss-Protection
    Header always set X-Xss-Protection "1; mode=block"

    # Stop clickjacking by only allowing us to frame our own site
    Header always set X-Frame-Options "SAMEORIGIN"

    # Avoid MIMEtype attacks
    Header set X-Content-Type-Options: "nosniff"

    # Allow Cross-Origin Resource Sharing (CORS)
    Header set Access-Control-Allow-Origin "*"

    # Content Security Policy
    Header set Content-Security-Policy "upgrade-insecure-requests;"

    # Try and remove PHP version
    Header unset X-Powered-By

    # Referrer Policy Policy
    Header set Referrer-Policy: "no-referrer-when-downgrade"
</IfModule>

# Try and disable server signature
ServerSignature Off

# END HTTP Security Headers

Both websites receive an F score on securityheaders.com.

I am also using the WordPress plugin, "Shield Security" on both websites which has its own HTTP Security Headers module. With that exact same configuration, another one of my projects, hc-kartenlegen.de, gets a straight A.

Things I've tried

On kait-solutions.de, I tried a different(ly worded?) set of security headers, as follows:

# BEGIN HTTP Security Headers
<IfModule mod_env.c>
    # Add security and privacy related headers
    # This is nicked from NextCloud's .htaccess

    # Avoid doubled headers by unsetting headers in "onsuccess" table,
    # then add headers to "always" table: https://github.com/nextcloud/server/pull/19002
    Header onsuccess unset Strict-Transport-Security
    Header always set Strict-Transport-Security: "max-age=63072000; includeSubDomains; preload"

    Header onsuccess unset Referrer-Policy
    Header always set Referrer-Policy "no-referrer"

    Header onsuccess unset X-Content-Type-Options
    Header always set X-Content-Type-Options "nosniff"

    Header onsuccess unset X-Download-Options
    Header always set X-Download-Options "noopen"

    Header onsuccess unset X-Frame-Options
    Header always set X-Frame-Options "SAMEORIGIN"

    Header onsuccess unset X-Permitted-Cross-Domain-Policies
    Header always set X-Permitted-Cross-Domain-Policies "none"

    Header onsuccess unset X-Robots-Tag
    Header always set X-Robots-Tag "none"

    Header onsuccess unset X-XSS-Protection
    Header always set X-XSS-Protection "1; mode=block"

    SetEnv modHeadersAvailable true
</IfModule>

# Try and disable server signature
ServerSignature Off

# END HTTP Security Headers

I nicked those from a NextCloud I have on 2sinn.com (which gets an A), but even with them, kait-solutions.de still gets an F.

Note this may not be a bug, I'm quite possibly doing something wrong. I don't fully understand these codes. I researched them to the best of my abilities and cobbled them together from different sources.

joshmaag commented 3 years ago

You should check the browser response, because it's not producing those headers currently on your index when I visit https://snapflux.com/. It does produce those on your CSS/JS though.

mrmatteastwood commented 3 years ago

Thanks for the pointer, and for following up. I still haven't gotten around to educating myself more on this, but I was always suspecting this was probably more of an issue on my end, due to my lack of understanding.