Hardening Improvements - security header recommendations

[schlos]

Some recommendations from Sucuri:

• Missing security header for ClickJacking Protection. Alternatively, you can use Content-Security-Policy: frame-ancestors 'none'.

  • https://docs.sucuri.net/warnings/hardening/security-headers-x-frame-options/
    • You can enable it by modifying your Apache settings or your .htaccess file - on server side
  • https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors

• Missing security header to prevent Content Type sniffing.

  • https://docs.sucuri.net/warnings/hardening/security-headers-x-content-type-nosniff/
    • You can enable it by modifying your Apache settings or your .htaccess file - on server side

• Missing Strict-Transport-Security security header

  • https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
  • applicable only to HTTPS sites on Laddr, can it be configurable per Emergence instance/site?
  • should be done on server side

• Missing Content-Security-Policy directive.

  • https://blog.sucuri.net/2018/04/content-security-policy.html
    • We recommend to add the following CSP directives (you can use default-src if all values are the same): script-src, object-src, base-uri, frame-src
  • try to block executing scripts added in content (i.e. page, buzz, project description, comment etc)
  • Use "report-uri" to log failed requests. Endpoint to send report json to: https://report-uri.com/#prices (free up to 10.000 requests per month); when testing in production use "report-only" to send reports to URL endpoint what would be blocked by set CSP rules.

• Leaked PHP version. Your site is displaying your PHP version in the HTTP headers. Please set expose_php = Off.

  • https://secure.php.net/manual/en/ini.core.php
  • this should be done on server side (Emergence hosting)

Check full report at: https://sitecheck.sucuri.net/results/codeforphilly.org (same results are for other Laddr instances)