I'm sorry, but this is terrible advice. Web server security goes well beyond phpBB. As it turns out, these particular warnings relate to server configuration, specifically response header settings. While implementing the measures Securi has suggested goes well beyond the scope of this support forum, to recommend users ignore them out-of-hand is irresponsible.
A quick review of the changelog for phpBB since 3.0.0 as well as authoritative vulnerability lists demonstrates this statement to be false and again this advice is misleading and irresponsible. It also gives users a false sense of security that running phpBB3 alone is perfectly safe so they don't need to be aware of other security vulnerabilities in the server and supporting software and protocols (operating system, FTP, SSH, PHP, mySQL etc).there are many many so called security sites out there that can give you all sorts of warnings etc.
however, since phpbb 3 came out , none of those warnings have turned out to be valid that I am aware of.
These statements seem at odds with the fact that the change log regularly lists security issues addressed in phpBB, including cross-site scripting and remote code execution vulnerabilities.
Code: Select all
#Extra Security Headers <IfModule mod_headers.c> Header set X-XSS-Protection "1; mode=block" Header always append X-Frame-Options SAMEORIGIN Header set X-Content-Type-Options nosniff Header set X-Frame-Options DENY Header set Referrer-Policy: strict-origin </IfModule>
If you use CloudFlare or anyone else, this can be set in their.