Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

  1. Index
  2. » General discussions
  3. » Wtf?

#1 2017-09-27 11:21:07

Pat64
Plugin Author
From: France
Registered: 2005-12-12
Posts: 1,634
GitHub Twitter

Wtf?

What are you thinking about this report? https://securityheaders.io/?q=textpattern.io

How to improve? Any ideas?


Patrick.

Github | CodePen | Codier | Simplr theme | Wait Me: a maintenance theme | [\a mi.ni.ma]: a “Low Tech” simple Blog theme.

Offline

#2 2017-09-27 11:54:30

colak
Admin
From: Cyprus
Registered: 2004-11-20
Posts: 9,090
Website GitHub Mastodon Twitter

Re: Wtf?

Hi Patrick,

I do not trust the results as I checked another site which produced similar results inspite of the fact that its htaccess had all the protections covered.


Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.

Offline

#3 2017-09-27 13:50:21

Pat64
Plugin Author
From: France
Registered: 2005-12-12
Posts: 1,634
GitHub Twitter

Re: Wtf?

Ok.
;)


Patrick.

Github | CodePen | Codier | Simplr theme | Wait Me: a maintenance theme | [\a mi.ni.ma]: a “Low Tech” simple Blog theme.

Offline

#4 2017-09-27 13:55:57

michaelkpate
Moderator
From: Avon Park, FL
Registered: 2004-02-24
Posts: 1,379
Website GitHub Mastodon

Offline

#5 2017-09-27 16:50:16

philwareham
Core designer
From: Haslemere, Surrey, UK
Registered: 2009-06-11
Posts: 3,564
Website GitHub Mastodon

Re: Wtf?

I’ve tightened up the security on the Textpattern sites now. As follows:

textpattern.com

Note that I can’t implement CSP or Referrer-Policy on Textpattern.com domain because its breaks our ad referrals. Nothing I can do about that currently.

forum.textpattern.io

The forum was already pretty well locked-down (was an A rating), as it should be given it’s user generated content. I added a Referrer-Policy now to make it A+ rated.

However…

docs.textpatern.io

…is hosted on GitHub (via Jeykll) and I cannot improve security on that. Since it’s flat files anyway there won’t be security implications unless someone hacks into GitHub – so no real problem!

Offline

#6 2017-09-27 18:58:36

colak
Admin
From: Cyprus
Registered: 2004-11-20
Posts: 9,090
Website GitHub Mastodon Twitter

Re: Wtf?

wonderful

I guess you did it via htaccess. Anyway we can see it?


Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.

Offline

#7 2017-09-27 20:29:44

philwareham
Core designer
From: Haslemere, Surrey, UK
Registered: 2009-06-11
Posts: 3,564
Website GitHub Mastodon

Re: Wtf?

Sure, Textpattern.com htaccess is here

Forum htaccess is here

Offline

#8 2017-09-28 12:09:17

phiw13
Plugin Author
From: Japan
Registered: 2004-02-27
Posts: 3,190
Website

Re: Wtf?

Inspired by this thread, most of my sites are now A+ :-) (only some minor modifications)

I was wondering though, is it possible to override the settings for a nested folder. On one site, there are old pages that are full of inline scripts (of the Dreamweaver type… that old, I haven’t used Dreamweaver since 2002 or thereabouts).

basically I was trying to add 'unsafe-inline' to the script-src to override the below, but it doesn’t work.

Header append Content-Security-Policy "default-src 'self'; font-src 'self'; img-src 'self' data: * https://*; style-src 'self' 'unsafe-inline'; script-src 'self' https://code.jquery.com "

Hmm, me wonders why all the inline scripts in the admin panel for Texpattern don‘t throw errors with that strict CSP.


Where is that emoji for a solar powered submarine when you need it ?
Sand space – admin theme for Textpattern

Offline

#9 2017-09-28 12:13:42

colak
Admin
From: Cyprus
Registered: 2004-11-20
Posts: 9,090
Website GitHub Mastodon Twitter

Re: Wtf?

philwareham wrote #307230:

Sure, Textpattern.com htaccess is here

Forum htaccess is here

thanks so much Phil!!!


Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.

Offline

#10 2017-09-28 13:04:09

philwareham
Core designer
From: Haslemere, Surrey, UK
Registered: 2009-06-11
Posts: 3,564
Website GitHub Mastodon

Re: Wtf?

phiw13 wrote #307238:

Hmm, me wonders why all the inline scripts in the admin panel for Texpattern don‘t throw errors with that strict CSP.

I believe Textpattern sets its own CSP that overrides the global (htaccess or server config) header – see line 53 of txplib_head.php.

Offline

#11 2017-09-28 13:43:48

phiw13
Plugin Author
From: Japan
Registered: 2004-02-27
Posts: 3,190
Website

Re: Wtf?

philwareham wrote #307241:

I believe Textpattern sets its own CSP that overrides the global (htaccess or server config) header – see line 53 of txplib_head.php.

hmm. I will have to study that. Thanks for the pointer.


Where is that emoji for a solar powered submarine when you need it ?
Sand space – admin theme for Textpattern

Offline

  1. Index
  2. » General discussions
  3. » Wtf?

Board footer

Powered by FluxBB