Closed johndball closed 2 years ago
ScottHelme
commented
3 years ago Hi @johndball,
Looking at the scan results we're getting a 403 so we're probably being blocked or filtered by something which is why perhaps we aren't receiving the headers in your response. Can you see what is the cause of the 403 and if you set the headers on the 403?
johndball
commented
3 years ago It was self-inflicted. Cloudflare's new "super bot fight mode" was knocking down SecurityHeaders' scanner.
To configure the setting in Cloudflare to allow all automated bots: Cloudflare --> Firewall --> Bots --> Configure Super Bot Fight Mode --> "Definitely automated = Allow"
@ScottHelme Cloudflare has an application for submitting a bot request to their "known good" list, Perhaps this is something SecurityHeaders can pursue so that the scan engine won't get knocked down by their new tool? FAQ: https://support.cloudflare.com/hc/en-us/articles/360035387431 Submission form: https://docs.google.com/forms/d/e/1FAIpQLSdqYNuULEypMnp4i5pROSc-uP6x65Xub9svD27mb8JChA_-XA/viewform?usp=sf_link
I recently scanned my site (https://www.johndball.com) as I do on a periodic basis and I returned a grade “C” for missing: content security policy, referrer policy, and permissions policy.
I then scanned a sister site on the same server with a nearly identical config file (https://www.trindonball.com) and those headers were listed along with a grade “A+“.
I reviewed my headers on https://websniffer.cc/?url=https://www.johndball.com/ and I can see the three “missing” headers being reported correctly. A Hardenize.com scan also recognizes and correctly reports the headers that SecurityHeaders.io is reporting missing.
Edit: I just noticed that SecurityHeaders is reporting a 403 response when the sister site is reporting a 200 response. I didn’t notice this yesterday or even when I submitted this bug. I suspect it has something to do with some recent feature rollouts in Cloudflare (super bot fight mode). I will investigate and report back. Hopefully it will be an easy fix and those facing a similar issue can correct it themselves.