Adding More Security To phpbb Website

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Get Involved
User avatar
durangod
Registered User
Posts: 817
Joined: Tue Nov 03, 2009 1:26 pm
Location: USA East Texas
Name: Dave

Adding More Security To phpbb Website

Post by durangod »

Hello, i ran my phpbb website through this

https://pentest-tools.com/website-vulne ... te-scanner

There were a few things it recommended.

1. It recomnmended changing the name of the cookie and also pointing it to .example.com (notice the beginning dot)
1a. i need to add this also but do not know where to place it in the phpbb files

Code: Select all

 ini_set('session.cookie_httponly', '1');   
2. We recommend setting the X-Content-Type-Options header

2a. also do not know where to place that command in phpbb

Code: Select all

X-Content-Type-Options: nosniff 


3. Response headers do not include the Referrer-Policy HTTP security
header as well as the <meta> tag with name 'referrer' is not present in
the response.

3a. The Referrer-Policy header should be configured on the server side to avoid user tracking and inadvertent information leakage. The value

Code: Select all

no-referrer 
of this header instructs the browser to omit the Referer header entirely.

3b. Where do i put that code in phpbb?


4. Recommendation:
We recommend you to eliminate the information which permits the identification of software platform, technology, server and operating
system: HTTP server headers, HTML meta information, etc.

4a. How do do that in phpbb?

5. Security.txt file is missing

5a How to add one in phpbb. ?

Thank youi :)
Last edited by thecoalman on Sat Jul 27, 2024 3:42 am, edited 1 time in total.
Reason: Moved to phpBB Discussion
Username is short for durango dave
User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 6615
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.

Re: Adding More Security To phpbb Website

Post by thecoalman »

1. Cookie name can be changed under "Cookie settings", link is lower left main page. Presumably they are suggesting this so you can't identify the software that is setting the cookie by common name, I believe the default is phpbb3_<randomstring> Be aware if you change the cookie name everyone will get logged out.

The preceding dot for the domain is recommended here on phpbb.com but AFAIK it's for compatibility with legacy browsers related to sub domains, not sure why that would be security recommendation.

ini_set('session.cookie_httponly', '1'); can be set in php.ini but it's different code than what you would use in script. session.cookie_httponly=On You'd have to test it but based on the description it may break some functions in phpBB. e.g. Mark forums read, file uploads should be tested.

2,3,4 These are all server configurations.

As 4 relates to phpBB the one place you can positively identify the version of software is through style.cfg in the styles/<style>/ folder. You can add a .htaccess file in styles folder to whitelist or blacklist specific files for public access. The public needs access to .js, images, css, ???etc. There might be other sources to directly identify version I'm unaware of. Indirectly it can be done by examining CSS, markup on the page etc. That of course cannot be blocked,it would be impossible to remove all indirect identification methods for the software/version.

5. Appears to be simple txt file with formatted contact information you would add to servers .well-known directory. It's not related to phpBB.
-------------------------

Quick tip, you can password protect the ADM folder with Apache, this can usually be set up in server control panel.
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison
User avatar
SpIdErPiGgY
Registered User
Posts: 330
Joined: Sun May 02, 2021 2:11 pm
Location: Erpe-Mere, Aalst, BE
Name: Andy Dm

Re: Adding More Security To phpbb Website

Post by SpIdErPiGgY »

I have stuff like X-Content-Type-Options: nosniff
in .htaccess
Image
User avatar
Mick
Support Team Member
Support Team Member
Posts: 26891
Joined: Fri Aug 29, 2008 9:49 am

Re: Adding More Security To phpbb Website

Post by Mick »

I just ran that tool on a test board and it really showed nothing except the cookie thing. Is this really security and not just anti-spam techniques? I wonder how you came across it?
  • "The more connected we get the more alone we become” - Kyle Broflovski© 🇬🇧
User avatar
danieltj
Infrastructure Team Member
Infrastructure Team Member
Posts: 689
Joined: Thu May 03, 2018 9:32 pm
Location: United Kingdom
Name: Daniel James

Re: Adding More Security To phpbb Website

Post by danieltj »

Mick wrote: Sat Jul 27, 2024 9:39 am Is this really security and not just anti-spam techniques?
It’s one of those services that tries to ‘scare’ you into buying their upgraded tool which does a little bit more stuff. I ran this forum through it and it showed one ‘warning’ and then a few advisories but funnily enough every description noted thats it’s worth doing x and y but it’s not important.

So don’t take too much notice of this. It’s of little value.
MY EXTENSIONS:
Verified Profiles | API | Awesome Payments

Available for paid extension work.
User avatar
Mick
Support Team Member
Support Team Member
Posts: 26891
Joined: Fri Aug 29, 2008 9:49 am

Re: Adding More Security To phpbb Website

Post by Mick »

That what i thought. It looks spammy in itself.
  • "The more connected we get the more alone we become” - Kyle Broflovski© 🇬🇧
User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 6615
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.

Re: Adding More Security To phpbb Website

Post by thecoalman »

Security s a matter of layers and the more you have the less likely you are going to run into issues. If a vulnerability requires X, Y and Z where Z is one their recommendations then you are covered. It's basic test looking for potentially insecure issues. They rank the severity and just because your server/site comes up relatively clean with low ranked issues doesn't mean everyone will.
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison
User avatar
durangod
Registered User
Posts: 817
Joined: Tue Nov 03, 2009 1:26 pm
Location: USA East Texas
Name: Dave

Re: Adding More Security To phpbb Website

Post by durangod »

Thanks everyone for your imput, yeah its possible that some of you may have already made these changes before or maybe your host has an auto config when you start your hosting that covers some of these.

For my normal custom websites (not phpbb) i usually use the following my header files

Code: Select all

//prevent clickjacking
header('X-Frame-Options: SAMEORIGIN');

//in the same php file in the session section i do this 

  ini_set('session.use_trans_sid', '0');
  ini_set('session.use_cookies', '1');
  ini_set('session.use_only_cookies', '1');
  ini_set('session.cookie_samesite', 'Strict');
  ini_set('session.cookie_httponly', '1');



Then in htaccess i have this

Code: Select all


Options -Indexes
Options +FollowSymLinks
DirectoryIndex index.php

<IfModule mod_negotiation.c>
	Options -MultiViews
</IfModule>

#for better security
ServerSignature Off

#set strict transport security  
<IfModule mod_headers.c>
  <FilesMatch "\.(php|js)$">
    Header set Strict-Transport-Security "max-age=63072000; env=HTTPS; includeSubDomains; preload;"
  </FilesMatch>
</IfModule>

But i ask because i was not aware of the downside regarding phpbb of adding these especially when that site recommended them, and of course where to put them that would not break phpbb and i did not want to edit a file if i could so so via the ACP.

To answer a question I ran accross that site because i was originally trying to find a good link and image viewer that was not on my own server. One of my sites is a service related site which accepts images and links from users of our software. In order to help protect my server in the case of malicious links or things that are not safe for work that people post. I thought i might have alittle more security if all links were opened on another server.

There are companies out there that have servers for just this purpose, i dont know the technical name of the type of business or what they are called professionally. They also have API's that you can add to your site so that you have a direct ability with a click to view a link on their server and they will scan it first before it opens. I thought that was a good idea. I was shopping around for one of those sites when i found the site i linked to above. :) So not to change the topic but if anyone happens to know one of those sites that is a good one, please let me know..

Again i really appreciate the feedback and replies here :)
Username is short for durango dave
User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 6615
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.

Re: Adding More Security To phpbb Website

Post by thecoalman »

durangod wrote: Sat Jul 27, 2024 12:01 pm

For my normal custom websites (not phpbb) i usually use the following my header files
The header function may require multiple locations to add and best left to configuring on the server since it' something you probably want to set for every request.

Same thing with the php ini settings, one line in php.ini and it's done deal. That's already the default for most of the settings you have except for 'session.cookie_samesite which should not interfere with phpBB and session.cookie_httponly may interfere with some functions as I already mentioned but you'll need to test it.
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison
User avatar
durangod
Registered User
Posts: 817
Joined: Tue Nov 03, 2009 1:26 pm
Location: USA East Texas
Name: Dave

Re: Adding More Security To phpbb Website

Post by durangod »

thecoalman wrote: Sat Jul 27, 2024 5:23 pm
The header function may require multiple locations to add and best left to configuring on the server since it' something you probably want to set for every request.
My header file is an included file so it gets loaded with every page, and so does a new session Id. :) But i appreciate you mentioning that in a helpful way. Thats great that you help people the extra bit. :)

:) dave
Username is short for durango dave
User avatar
Brf
Support Team Member
Support Team Member
Posts: 53609
Joined: Tue May 10, 2005 7:47 pm
Location: {postrow.POSTER_FROM}

Re: Adding More Security To phpbb Website

Post by Brf »

That is a pretty spammy service. I ran Microsoft.com through it, and it said the same things for them that it did for you. It is only trying to get you to subscribe to their tools.

Return to “phpBB Discussion”