Securing your Bludit site with HTTP

Post Reply
User avatar
mxm
Ssr. Bludit
Posts: 29
Joined: Thu Apr 28, 2016 5:10 pm
Location: Kaliningrad, Russia
Contact:

Did you check your Bludit site with https://securityheaders.io? I did.
I spent some time to playing with my web server (Lighttpd) trying to set up more secure configuration and now my site have "A" score so I can to share with you how to reach this result.

On Lighttpd (don't forget to switch on mod_setenv):

Code: Select all

setenv.add-response-header  = (
	"Strict-Transport-Security" => "max-age=15768000",
	"Content-Security-Policy" => "default-src 'self'; script-src 'unsafe-inline' https://www.google-analytics.com https://mc.yandex.ru 'self'; style-src 'unsafe-inline' https://fonts.googleapis.com 'self'; font-src https://fonts.gstatic.com 'self'; connect-src https://mc.yandex.ru 'self'; img-src https://www.google-analytics.com https://mc.yandex.ru 'self'",
	"X-Content-Type-Options" => "nosniff",
	"X-Frame-Options" => "DENY",
	"X-XSS-Protection" => "1; mode=block"
)
On Nginx:

Code: Select all

add_header Strict-Transport-Security "max-age=15768000" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'unsafe-inline' https://www.google-analytics.com https://mc.yandex.ru 'self'; style-src 'unsafe-inline' https://fonts.googleapis.com 'self'; font-src https://fonts.gstatic.com 'self'; connect-src https://mc.yandex.ru 'self'; img-src https://www.google-analytics.com https://mc.yandex.ru 'self'" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "DENY" always;
add_header X-XSS-Protection "1; mode=block" always;
On Apache

Code: Select all

Header always set Strict-Transport-Security "max-age=15768000";
Header always set Content-Security-Policy "default-src 'self'; script-src 'unsafe-inline' https://www.google-analytics.com https://mc.yandex.ru 'self'; style-src 'unsafe-inline' https://fonts.googleapis.com 'self'; font-src https://fonts.gstatic.com 'self'; connect-src https://mc.yandex.ru 'self'; img-src https://www.google-analytics.com https://mc.yandex.ru 'self'";
Header always set X-Content-Type-Options "nosniff";
Header always set X-Frame-Options "DENY";
Header always set X-XSS-Protection "1; mode=block";
I using Google Tools and Yandex Tools plugins so my Content-Security-Policy HTTP header contains links to they external resources. If you don't using it just remove script-src, connect-src and img-src fields. If you are using external image loading just add URL to img-src.
Additional details can be found at Schott Helme blog.
Last edited by mxm on Fri Oct 07, 2016 12:36 am, edited 1 time in total.
User avatar
diego
Site Admin
Posts: 773
Joined: Sat May 16, 2015 2:53 pm
Been thanked: 1 time
Contact:

User avatar
mxm
Ssr. Bludit
Posts: 29
Joined: Thu Apr 28, 2016 5:10 pm
Location: Kaliningrad, Russia
Contact:

:lol: Yes, we know that "Google can't be wrong"

Here is a string for Content-Security-Policy if you are using Disqus and AddToAny plugins:

Code: Select all

"default-src 'self'; script-src 'unsafe-inline' 'unsafe-eval' https://www.google-analytics.com https://mc.yandex.ru https://static.addtoany.com https://*.disqus.com https://*.disquscdn.com 'self'; style-src 'unsafe-inline' https://fonts.googleapis.com https://static.addtoany.com https://*.disquscdn.com 'self'; font-src https://fonts.gstatic.com 'self'; connect-src https://mc.yandex.ru https://links.services.disqus.com 'self'; img-src https://www.google-analytics.com https://mc.yandex.ru https://static.addtoany.com data: https://*.disquscdn.com https://referrer.disqus.com 'self'; frame-src https://static.addtoany.com https://disqus.com 'self'
BlakesHeaven
Ssr. Bludit
Posts: 24
Joined: Sat Jan 27, 2018 12:32 am

Hello, I've just scanned my site running Bludit v2.2.1 (yep going to upgrade soon) and after scanning it on https://securityheaders.io I got a score of "F" :(

It lost marks on the following missing headers:
  • Content-Security-Policy
  • X-Frame-Options
  • X-XSS-Protection
  • X-Content-Type-Options
  • Referrer-Policy
Is there a plug-in that will harden the headers of Bludit or is this something each person must do for themselves.
Is it possible for the core program to be strengthened?

Do I put the code in between <head> and </head> somewhere or is it a server side setting or what?
If this code can go in a plug-in how might that be done to be forced into the <head> section?

BTW - My website is hosted on Apache and HTTPS is not an option at the moment.
Many thanks in advance,
David
User avatar
Edi
Site Admin
Posts: 3121
Joined: Sun Aug 09, 2015 5:01 pm
Location: Zurich
Has thanked: 54 times
Been thanked: 77 times
Contact:

I will check with this tool.
BlakesHeaven wrote: Wed Mar 21, 2018 4:02 pm BTW - My website is hosted on Apache and HTTPS is not an option at the moment.
There is no excuse for not using https! Starting July 2018 Google will flag websites without SSL certificates as insecure. There is a lot of information about this, for example here:

https://www.theverge.com/2018/2/8/16991 ... yption-ssl

Also SSL is a ranking factor.
Clickwork - Websites mit Bludit | Planet Bludit - Tipps und Snippets
User avatar
diego
Site Admin
Posts: 773
Joined: Sat May 16, 2015 2:53 pm
Been thanked: 1 time
Contact:

BlakesHeaven wrote: Wed Mar 21, 2018 4:02 pm Hello, I've just scanned my site running Bludit v2.2.1 (yep going to upgrade soon) and after scanning it on https://securityheaders.io I got a score of "F" :(

It lost marks on the following missing headers:
  • Content-Security-Policy
  • X-Frame-Options
  • X-XSS-Protection
  • X-Content-Type-Options
  • Referrer-Policy
Is there a plug-in that will harden the headers of Bludit or is this something each person must do for themselves.
Is it possible for the core program to be strengthened?

Do I put the code in between <head> and </head> somewhere or is it a server side setting or what?
If this code can go in a plug-in how might that be done to be forced into the <head> section?

BTW - My website is hosted on Apache and HTTPS is not an option at the moment.
Hi,
you need to configure your Apache web server with the headers.

The headers checked by that page are different things to the meta tags defined in <head> of the html code.

Regards
Diego
bdavis
Jr. Bludit
Posts: 7
Joined: Sat Mar 31, 2018 7:08 pm

diego wrote: Sat Mar 24, 2018 6:36 pm Hi,
you need to configure your Apache web server with the headers.

The headers checked by that page are different things to the meta tags defined in <head> of the html code.

Regards
Diego
Mostly true Diego but you can specify the Content-Security-Policy in a meta tag inside the header.

This can be the best way to go as one server may host more than one website, with more than one html header which may pull in resources from more than one pool.

Putting this in the meta allows you to tailor that specific project to your exact needs.

I might rustle myself up a quick and dirty plugin for just this.
BlakesHeaven
Ssr. Bludit
Posts: 24
Joined: Sat Jan 27, 2018 12:32 am

bdavis wrote: Mon Apr 02, 2018 8:52 pm ... you can specify the Content-Security-Policy in a meta tag inside the header.

This can be the best way to go as one server may host more than one website, with more than one HTML header which may pull in resources from more than one pool.

Putting this in the meta allows you to tailor that specific project to your exact needs.

I might rustle myself up a quick and dirty plugin for just this.
Hi B Davis, did you get anywhere with this plugin?
Also, a post back to this post with the meta tag code you would suggest putting in the header would be fantastic. Then I can add it to my own theme I am working on. :P
Many thanks in advance,
David
User avatar
Edi
Site Admin
Posts: 3121
Joined: Sun Aug 09, 2015 5:01 pm
Location: Zurich
Has thanked: 54 times
Been thanked: 77 times
Contact:

As Diego explained the CSP normally is handled by the server.

Adding a meta tag is another possibility. You can add it to your theme without a plugin:

https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
Clickwork - Websites mit Bludit | Planet Bludit - Tipps und Snippets
Post Reply