Question about sucuri.net site checks

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Get Involved
Post Reply
php_mike
Registered User
Posts: 192
Joined: Fri Aug 30, 2013 3:31 pm

Question about sucuri.net site checks

Post by php_mike »

If anyone else wants to try it, it's here. https://sitecheck.sucuri.net/

The results show the following for the brand new site I'm still working on.

Security Headers
Missing security header for XSS Protection.
Missing security header to prevent Content Type sniffing.
Missing Strict-Transport-Security security header.

Am I missing something in terms of security, are these mainly notices, correct or not correct? I'm not sure how to interpret the results.
Last edited by Mick on Wed Feb 19, 2020 6:21 pm, edited 1 time in total.

User avatar
Lumpy Burgertushie
Registered User
Posts: 67384
Joined: Mon May 02, 2005 3:11 am
Contact:

Re: Question about sucuri.net site checks

Post by Lumpy Burgertushie »

since there are no known issues with phpbb 3 I would simply ignore that site's opinion.

there are many many so called security sites out there that can give you all sorts of warnings etc.
however, since phpbb 3 came out , none of those warnings have turned out to be valid that I am aware of.


robert
I'm baaaaaccckkkk. still doing work on donation basis. PM your needs.

Premium phpBB 3.3 Styles by PlanetStyles.net

If nobody is in the forest, does a tree really fall?

KYPREO
Registered User
Posts: 388
Joined: Fri Feb 02, 2018 9:56 am
Contact:

Re: Question about sucuri.net site checks

Post by KYPREO »

Lumpy Burgertushie wrote:
Tue Feb 18, 2020 9:48 pm
since there are no known issues with phpbb 3 I would simply ignore that site's opinion.
I'm sorry, but this is terrible advice. Web server security goes well beyond phpBB. As it turns out, these particular warnings relate to server configuration, specifically response header settings. While implementing the measures Securi has suggested goes well beyond the scope of this support forum, to recommend users ignore them out-of-hand is irresponsible.

I suggest the OP does some Googling on these recommendations. There are plenty of resources explaining what each of the measures are in order to help to decide whether to implement them (some are specifically for running a site on HTTPS) and how to set it up with your particular server (how to do it is different in Apache, Nginx, IIS etc).
there are many many so called security sites out there that can give you all sorts of warnings etc.
however, since phpbb 3 came out , none of those warnings have turned out to be valid that I am aware of.
A quick review of the changelog for phpBB since 3.0.0 as well as authoritative vulnerability lists demonstrates this statement to be false and again this advice is misleading and irresponsible. It also gives users a false sense of security that running phpBB3 alone is perfectly safe so they don't need to be aware of other security vulnerabilities in the server and supporting software and protocols (operating system, FTP, SSH, PHP, mySQL etc).
phpBB user since 2002
www.AusRotary.com

User avatar
Lumpy Burgertushie
Registered User
Posts: 67384
Joined: Mon May 02, 2005 3:11 am
Contact:

Re: Question about sucuri.net site checks

Post by Lumpy Burgertushie »

while what you say is certainly correct for server security, the OP posted in phpbb 3.3 support.
the warnings he shows have nothing to do with phpbb as you said.

I will certainly retract my statements in relation to web server security issues and I do apologize for any confusion. however the fact remains that there has been no known security issues with phpbb since 3.0 came out. as far as I remember, each major upgrade gets a security audit done before it is released.

robert
I'm baaaaaccckkkk. still doing work on donation basis. PM your needs.

Premium phpBB 3.3 Styles by PlanetStyles.net

If nobody is in the forest, does a tree really fall?

User avatar
EA117
Registered User
Posts: 1381
Joined: Wed Aug 15, 2018 3:23 am
Contact:

Re: Question about sucuri.net site checks

Post by EA117 »

Lumpy Burgertushie wrote:
Wed Feb 19, 2020 12:45 am
however the fact remains that there has been no known security issues with phpbb since 3.0 came out.
These statements seem at odds with the fact that the change log regularly lists security issues addressed in phpBB, including cross-site scripting and remote code execution vulnerabilities.

php_mike
Registered User
Posts: 192
Joined: Fri Aug 30, 2013 3:31 pm

Re: Question about sucuri.net site checks

Post by php_mike »

All good input either way. I always take security warnings seriously and is why I thought I'd ask here before spending time on these.
There could have been some simple answer which I hoped for but it seems I now have to add this to my already stupidly long list of diversions that seem to happen every single day.

I have not been able to read up on as much as I'd like but am sure that when there are serious security issues with phpbb it gets fixed asap.
On the other hand, even if the problems are related to web servers running phpbb, people usually share their findings which helps others in case they are not aware.

Thanks for the input. Google time for me is now on the list of too many things to do.

php_mike
Registered User
Posts: 192
Joined: Fri Aug 30, 2013 3:31 pm

Re: Question about sucuri.net site checks

Post by php_mike »

Here's how I got rid of the warnings from Sucuri. Still have to confirm this is all I need to do.

This is for Apache only. Make sure you have mod_headers
Uses LoadModule headers_module modules/mod_headers.so

# X-XSS-Protection header
Header set X-XSS-Protection "1; mode=block"

# Missing security header to prevent Content Type sniffing.
Header set X-Content-Type-Options nosniff

# Apache - Configuring HTTP Strict Transport Security
#Add this into the SSL section of each virtualhost
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"

User avatar
John connor
Registered User
Posts: 2490
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Name: Aaron
Contact:

Re: Question about sucuri.net site checks

Post by John connor »

Those headers can be set in the htaccess file.

Code: Select all

#Extra Security Headers
<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
Header always append X-Frame-Options SAMEORIGIN
Header set X-Content-Type-Options nosniff
Header set X-Frame-Options DENY
Header set Referrer-Policy: strict-origin
</IfModule>
This is for Apache and Litespeed. Not sure about other server software.

Also check here: https://observatory.mozilla.org/


To see if your headers are there, go to the web console in your browser.

If your server or host doesn't have mod_headers.c installed, tell them to do it. If not, ditch that crappy host. If you use CloudFlare, they should also have mod_cloudflare installed so you get the right IPs.

User avatar
John connor
Registered User
Posts: 2490
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Name: Aaron
Contact:

Re: Question about sucuri.net site checks

Post by John connor »

php_mike wrote:
Wed Feb 19, 2020 5:21 pm
# Apache - Configuring HTTP Strict Transport Security
#Add this into the SSL section of each virtualhost
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
If you use CloudFlare or anyone else, this can be set in their.

Check your Cert. here: https://www.ssllabs.com/ssltest/

php_mike
Registered User
Posts: 192
Joined: Fri Aug 30, 2013 3:31 pm

Re: Question about sucuri.net site checks

Post by php_mike »

Great, now anyone looking for this information should find this thread and get all the info they could ever want on how to fix the little issue :).

Thanks for all the input.

Post Reply

Return to “phpBB Discussion”