I am Guybrush Threepwood, mighty developer?

[LRAM]

Ok I have to wait until it happens again to measure the differences

[tiloschroeder]

Okay, now that I've tested your website, I've find out 3 things:

1. Script not found
Your website load a script from jsdelivr.net, that can not be found (error 404).

Code: Select all

<!-- Load Bludit Plugins: Site head -->
...
<script type="text/javascript" src="https://cdn.jsdelivr.net/npm/amplitudejs@{{v5.1.0}}/dist/amplitude.js"></script>

2. HSTS and http:// -> https://
Your website returns an HSTS header, which tells the browser to connect to your website only via https:// for the next at least 6 month. Good.
But there is no automatically redirection from http:// to https://. This means, your website is also reachable unsecure (http://).

To solve this issue, open the file .htaccess in the root directory and add the following lines:

Code: Select all

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

If after this your website goes blank (white) or return an error 500, remove the lines from the file and ask your provider, how the redirect can be implemented.

3. Special security header

You can also add some special security header (recommend), i.e. against cross-site-scripting attaks by adding the following lines to the file .htaccess:

Code: Select all

<IfModule mod_headers.c>
    Header set X-Frame-Options "SAMEORIGIN"
    Header set X-UA-Compatible "IE=edge"
    Header set X-XSS-Protection "1; mode=block"
    Header set X-Content-Type-Options "nosniff"
</IfModule>

You can scan and test the website-headers on Observatory from Mozialla: https://observatory.mozilla.org/analyze ... and-me.com

[LRAM]

Thank you very much for this analysis, I am very grateful.
I don't know what this missing script is, it seems to load a jquery
HTaccess modified as specified; thank you again,
hoping that this will solve the problem.
what is surprising is that I don't encounter it on my other sites

[AzzakaPrime]

Base steps for any installation:

Redirect Port 80 to 443
Always redirect to SSL to stop pages being served on Port 80. There is no need to serve pages on Port 80 anymore:

<VirtualHost *:80>
RewriteEngine On
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
</VirtualHost>

No Indexing and No Following Symlinks
Remove directory indexing to stop people from scouring the server for sensitive information or pages that should not be visible externally. (this can be over-ridden in the .htaccess file.)

<Directory "/var/www/html">
Options -Indexes -FollowSymLinks
AllowOverride None
Require all granted
</Directory>

Extra Server Hardening
The below amendments will stop Cross-Site-Scripting, set the Cross-Framing to the 'Same Origin', turns on the Rewrite engine, and other pieces.

Note: X-Clacks-Overhead "GNU Terry Pratchett" is optional, and is used to keep Sir Terry's name alive. See here: Clacks Overhead - GNU Terry Pratchett

ServerTokens Prod
ServerSignature Off
FileETag None
TraceEnable off
Header append X-Frame-Options "SAMEORIGIN"
Header set X-Clacks-Overhead "GNU Terry Pratchett"
Header set X-XSS-Protection "1; mode=block"
ExtendedStatus Off
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^OPTIONS
RewriteRule .* - [F]
RewriteEngine On
RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD)
RewriteRule .* - [R=405,L]

There are other steps.These include installing 'fail2ban', and an AV software. Also, disable, TLS1.0, and TLS1.1. These are no longer secure, TLS1.2 and TLS1.3 should be used ONLY.

[LRAM]

it just happen gain
but Now if have a backup of the altered version and the original
which file should I compare