Search…

X3 Photo Gallery Support Forums

Search…
 
BigBobbyD
Experienced
Topic Author
Posts: 31
Joined: 04 Sep 2021, 04:41

Security additions

11 Dec 2022, 07:18

is it possible to add a couple of php (apache) tags for additional security

e.g.

(1) Response headers do not include the HTTP X-XSS-Protection security header
adding: Header set X-XSS-Protection "1; mode=block" 

(2) Response headers do not include the HTTP X-Frame-Options security header
HTTP header with the values `DENY` or `SAMEORIGIN` to every page
 
User avatar
mjau-mjau
X3 Wizard
Posts: 13993
Joined: 30 Sep 2006, 03:37

Re: Security additions

11 Dec 2022, 09:44

You mean for the X3 website page? Or for the control panel? You can add them to your own .htaccess file, although I don't really see the point. See comments:
BigBobbyD wrote:(2) Response headers do not include the HTTP X-Frame-Options security header
The only thing this does, is block other websites from showing your website inside an <iframe>. It's not strictly security related.
BigBobbyD wrote:(1) Response headers do not include the HTTP X-XSS-Protection security header
This is only useful if you don't trust users that have access to your X3 control panel. Or if you have a "comments" section where unknown users can insert comments that contain <script> tags, but this is not a feature in X3.

As noted, you can add these into the .htaccess file, but they are pointless unless you are running other insecure apps on your website unrelated to X3.
 
BigBobbyD
Experienced
Topic Author
Posts: 31
Joined: 04 Sep 2021, 04:41

Re: Security additions

11 Dec 2022, 09:49

Thanks for the quick response.  My webhosting site made these recommendations.  They said it wasn't imperative, only recommended.

Thanks again,
 
User avatar
mjau-mjau
X3 Wizard
Posts: 13993
Joined: 30 Sep 2006, 03:37

Re: Security additions

11 Dec 2022, 21:45

BigBobbyD wrote:Thanks for the quick response.  My webhosting site made these recommendations.  They said it wasn't imperative, only recommended.
Nothing wrong with staying secure, but these options don't really offer any additional security for X3. If you wanted to add them anyway, you could open the file /.htaccess in any text editor, and add this chunk of code at the top:
Code
# custom rules start

# X-XSS-Protection
<IfModule mod_headers.c>
 Header set X-XSS-Protection "1; mode=block"
</IfModule>

# X-Frame-Options
<IfModule mod_headers.c>
 Header set X-Frame-Options "SAMEORIGIN"
</IfModule>

# custom rules end