Announcement

#1 2018-01-06 18:48:49

TheDoc
Member
2015-10-18
123

Improve security settings as reported by scan

Hi all,

I'm working on my first new year resolution - improving security of my sites :-)

So I did scans via https://securityheaders.io and https://observatory.mozilla.org and for my piwigo installation they both recommend to set the following headers:

- X-Frame-Options
- X-XSS-Protection
- X-Content-Type-Options
- Referrer-Policy

Unfortunately, I don't have a good idea how to add this to piwigo? For Wordpress I luckily found a plugin but haven't had luck here.

Any pointer on how to achieve this with piwigo?

Thanks,
Thomas

Piwigo 2.9.2
Operating system: Linux
PHP: 5.6.32 (Show info) [2018-01-06 18:48:04]
MySQL: 5.5.58-0+deb7u1-log [2018-01-06 18:48:04]
Graphics Library: External ImageMagick 6.8.9-9
Piwigo URL: http://bilder.feuster.com

Offline

 

#2 2018-01-06 23:07:26

teekay
Member
2013-06-12
389

Re: Improve security settings as reported by scan

You set those headers in your web server configuration.

For Apache: http://httpd.apache.org/docs/current/mo … aders.html
For NGINX: http://nginx.org/en/docs/http/ngx_http_ … odule.html

But after looking at the Piwigo URL in your signature (and checking for a https:// version of it), hear the screaming words of a senior admin: the single most effective security enhancement is enabling SSL and make your site reachable via HTTPS-only. You can care about any fancy headers later. They do make a lot of sense, don't get me wrong, but properly implemented SSL should be your nr.1 top priority (and even lousy implemented SSL is still better than no SSL at all :))

Last edited by teekay (2018-01-06 23:32:33)

Offline

 

#3 2018-01-07 12:15:15

TheDoc
Member
2015-10-18
123

Re: Improve security settings as reported by scan

Thanks for the input.

Unfortunately, I don't have access to those settings - managed by my hosting provider. Thats why I asked for any other solution. Since Wordpress seems to manage something via a plugin there seem to be options?

As for SSL: I probably should go ahead and extend my hosting to include SSL...

Thanks,
Thomas

Offline

 

#4 2018-01-07 17:35:21

teekay
Member
2013-06-12
389

Re: Improve security settings as reported by scan

Most serious hosting providers offer SSL for free nowadays.

For the headers you could try adding them in .htaccess if your webspace supports it. Another way could indeed be a simple custom plugin in Piwigo.

Offline

 

#5 2018-01-07 18:34:38

TheDoc
Member
2015-10-18
123

Re: Improve security settings as reported by scan

Thanks again.

Using .htaccess doesn't seem to work, so I might need to create a simple plugin for this.

Any idea where I would need to add an event handler to do such kind of changes?

Offline

 

#6 2018-01-08 19:42:20

TheDoc
Member
2015-10-18
123

Re: Improve security settings as reported by scan

I have now added the following to my Personal Plugin:

Code:

add_event_handler('loc_begin_page_header', 'add_secure_headers');
function add_secure_headers()
{
  header('X-Frame-Options: SAMEORIGIN');
  header('X-XSS-Protection: 1; mode=block');
  header('X-Content-Type-Options: nosniff');
  header_remove('X-Powered-By');
}

That has helped with the headers.

But I'm not sure if there might be a better trigger to add my event handler to?

Offline

 

Board footer

Powered by FluxBB

github twitter facebook google+ newsletter Donate Piwigo.org © 2002-2018 · Contact