Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
Pages: 1
Wtf?
What are you thinking about this report? https://securityheaders.io/?q=textpattern.io
How to improve? Any ideas?
Patrick.
Github | CodePen | Codier | Simplr theme | Wait Me: a maintenance theme | [\a mi.ni.ma]: a “Low Tech” simple Blog theme.
Offline
Re: Wtf?
Hi Patrick,
I do not trust the results as I checked another site which produced similar results inspite of the fact that its htaccess had all the protections covered.
Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.
Offline
Re: Wtf?
Ok.
;)
Patrick.
Github | CodePen | Codier | Simplr theme | Wait Me: a maintenance theme | [\a mi.ni.ma]: a “Low Tech” simple Blog theme.
Offline
Re: Wtf?
I tried https://securityheaders.io/?q=wordpress.org
as well as Google, Yahoo, Apple, etc. The only site I can find that passes is
Offline
Re: Wtf?
I’ve tightened up the security on the Textpattern sites now. As follows:
Note that I can’t implement CSP or Referrer-Policy on Textpattern.com domain because its breaks our ad referrals. Nothing I can do about that currently.
The forum was already pretty well locked-down (was an A rating), as it should be given it’s user generated content. I added a Referrer-Policy now to make it A+ rated.
However…
…is hosted on GitHub (via Jeykll) and I cannot improve security on that. Since it’s flat files anyway there won’t be security implications unless someone hacks into GitHub – so no real problem!
Offline
Re: Wtf?
wonderful
I guess you did it via htaccess. Anyway we can see it?
Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.
Offline
Offline
Re: Wtf?
Inspired by this thread, most of my sites are now A+ :-) (only some minor modifications)
I was wondering though, is it possible to override the settings for a nested folder. On one site, there are old pages that are full of inline scripts (of the Dreamweaver type… that old, I haven’t used Dreamweaver since 2002 or thereabouts).
basically I was trying to add 'unsafe-inline' to the script-src to override the below, but it doesn’t work.
Header append Content-Security-Policy "default-src 'self'; font-src 'self'; img-src 'self' data: * https://*; style-src 'self' 'unsafe-inline'; script-src 'self' https://code.jquery.com "Hmm, me wonders why all the inline scripts in the admin panel for Texpattern don‘t throw errors with that strict CSP.
Where is that emoji for a solar powered submarine when you need it ?
Sand space – admin theme for Textpattern
Offline
Re: Wtf?
philwareham wrote #307230:
Sure, Textpattern.com htaccess is here
Forum htaccess is here
thanks so much Phil!!!
Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.
Offline
Re: Wtf?
phiw13 wrote #307238:
Hmm, me wonders why all the inline scripts in the admin panel for Texpattern don‘t throw errors with that strict CSP.
I believe Textpattern sets its own CSP that overrides the global (htaccess or server config) header – see line 53 of txplib_head.php.
Offline
Re: Wtf?
philwareham wrote #307241:
I believe Textpattern sets its own CSP that overrides the global (htaccess or server config) header – see line 53 of
txplib_head.php.
hmm. I will have to study that. Thanks for the pointer.
Where is that emoji for a solar powered submarine when you need it ?
Sand space – admin theme for Textpattern
Offline
Pages: 1