published website security

[John_Pittman]

Hi,
I have built a website with ver 17.1.2
I have been monitoring the log files and see a lot of hacking attempts, I have fail2ban and iptables to protect the server.
But the apache2 logs show lots of attempts to try cross site scripting and other tactics to crash server or load code.
I used an auditing tool to test security of website . https://observatory.mozilla.org/
And the site as published got a 0 out of 100 or F grade.
Multiple problems like insecure php session cookies , Content Security Policy (CSP) implemented unsafely , Subresource Integrity (SRI) not implemented , X-Content-Type-Options header not implemented , X-Frame-Options (XFO) header not implemented , X-XSS-Protection header not implemented ect.
I fixed a couple of the apache2 conf issues and the force https redirects, I was able to fix the php session cookie for the most part.
That got the score to a D grade - 40 out of 100
But for the Content Security Policy I cannot implement that and stay with wsiwygwebbuilder. As this policy would require all css , style and any inline js code to be in their own sub directoriees

Has anyone dealt with this and have a solution or am I missing something in the setup of wisiwygwebbuilder?

Thanks,
John Pittman

[Pablo]

I doubt that the security issues have anything to do with the software.
Just because the files are not in a separate folder does not make them vulnerable for hackers.
Static files cannot be hacked.

But, if you want css and js files in a different folder then you can configure this in Tools->Options->HTML

[John_Pittman]

An update form an old newbie
Pablo is right and most of the issues were with my server setup. After researching and reading other stuff I found that "most" of the reported problems from the Mozilla test were PHP configuration issues. I was able to weed through them and got my site score up to a C+.
Then some other test were not super relevant to me as I do not use a CDN.

So long story / short, I got too excited and did not do enough homework before crying wolf. Sorry.....

We can all lean something every day.
John Pittman

[Daniel Baran]

Hello John,
Glad to see you are working this.
As you have seen, it's not a WWB issue but more a hosting thing.
I have managed to achieve A+ results on both Mozilla Observatory and securityheaders.com.
Not all sites can be made to do this, but I encourage you to keep at it.
Mine was also very bad when I started.
It took me many iterations to achieve the high status.
Regards,
DB

[wwonderfull]

I appreciate your security questions BUT...
wysiwygwebbuilder.com got an F which is normal just like our website, in the scan summery of https://observatory.mozilla.org/

Still its running for decades! Although pablo can make it secure any time, its more popular than the sites you currently have. Yet no one has hacked it. So don't worry for such static sites unless you make bank websites or websites which posses alots of peoples personal data like a social media or a renowned public blog.

You should be more worried about SEO which may be making your page rank below. The basic security which is needed is already given the rest of it totally depends on your web server and you protecting your id password which hackers always will try to get by many methods. So be cautious and everything will be fine.

[Daniel Baran]

You seem to deprecating good security practices; which makes very little sense to me.
I think site owners should do whatever they reasonably can, within whatever constraints they have.
Obviously, that is a big range of possibilities.
Applying optimized safeguards to even a small, low risk site is hardly a bad idea.

Regarding:
"You should be more worried about SEO"
That's an entirely different subject, and no one in this thread has asked for your advice on it.

Also:
"the rest of it totally depends on your web server"
Web server security configuration is exactly what we have been discussing!

[wwonderfull]

You seem to deprecating good security practices; which makes very little sense to me.
I think site owners should do whatever they reasonably can, within whatever constraints they have.
Obviously, that is a big range of possibilities.
Applying optimized safeguards to even a small, low risk site is hardly a bad idea.

I know people who know hackers who can hack Government Websites and their database. So I don't know what level of security we are trying to achieve as I said it is a server sided thing. Everything still can be hacked using proper technique. If you have any suggesting regarding security you can share to us so we can make our website secure.

[Daniel Baran]

Yes, as you say, there are some very skilled and anti-social
hackers about, who are willing to exploit just about anything.
And that fact is the very reason that as many of us as
possible should try to hold them back by all available means.
I am doing that myself and encouraging (not demanding) others to do the same.

The original poster here, was attempting it, and having some questions.
Pablo did his usual tactful handling of it, clarifying that this was a hosting issue,
and that the WWB software had very little influence on it.

Which leads us to the web server.
The testing done by sites like Mozilla Observatory and Securityheaders.com
are looking at the web server's header codes for a specific domain (not the website code itself)
and assessing whether or not they are hardened against common attacks (like cross-site scripting).
Most of us are not self-hosting, and therefore don't have access to the server configuration file.
However, there is a tool (htaccess) that allows for substantial influence over how those headers function.
On a compatible server, this can be created and uploaded by anyone with privileges on the sites htdocs folder.
I should warn that crafting a well configured htaccess file is fairly complex;
and that misconfigured file can make a site unreachable (temporarily).

There are quite a few online resources for this.
It requires some careful research, but it is doable for those with decent overall computer skills.

I would be willing to elaborate on my overall framework for doing this, but I'm not sure this forum
(even in the off-topic section) is the right place for it.
If Pablo were to say so, that would be good enough for me.

[alan_sh]

Daniel,

I think some simple ideas for crafting .htaccess (e.g. how to stop cross script stuff) would be very useful and welcomed by all of us.

thank you if you can do this.

Alan

[wwonderfull]

I already got an A+ on those settings by tweaking some settings. But there is a cache, there are some settings in .htaccess which is totally depended on your websites urls css , style and any inline js code and other resource. Content Security Policy as they call it. That is the main one if you can do that no problem with the rest of it. But I can assure you if you run modern website with live chats scripts lottie animations and other outside resources linking to your website or eve those scripts without src and stuffs there are more lot to know for the perfect config because any configuration you touch it will block the resources if the settings are not proper. I have tested with alot of outside resources which some had issues. so be cautious when doing security settings in .htaccess. Always triple check how your website is functioning.

Other than that I give you some security settings free from the internet. Which is safe to use. These settings will give you a "B" for sure.

Note: Use the codes at your own risk

Code: Select all

<IfModule>
# Add security headings
<IfModule mod_headers.c>

# HSTS strict transport rule
Header set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"

# Turn on IE8-IE9 XSS prevention tools
Header set X-XSS-Protection "1; mode=block"

# prevent mime based attacks
Header set X-Content-Type-Options "nosniff"
Header set X-Frame-Options DENY
</IfModule>

#CSP - This one you have to figure out your self read from below links
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
https://infosec.mozilla.org/guidelines/ ... ity-policy

Check your websites security from mozilla observatory https://observatory.mozilla.org/
Without CDN you will fail the Subresource Integrity Test.
If you are a modern website builder I already tested that some settings will mess up your website for sure as I have tested. I got an A+ on the classic website which has absolutely nothing but some text and image i.e no resources extra at all, but just an "A" on the modern website which has many resources outside the domain. You will soon come to know what more when you tweak the settings.

[Daniel Baran]

Hi Alan and thanks,
I will compile a short list of recommendations for those with limited or no prior experience in this.
I should be able to post it hear within the next few days.

PS: A bit bemused by wwonderfull's radical conversion on this - suddenly "all over it".

[wwonderfull]

Hi Alan and thanks,
I will compile a short list of recommendations for those with limited or no prior experience in this.
I should be able to post it hear within the next few days.

PS: A bit bemused by wwonderfull's radical conversion on this - suddenly "all over it".

Renowned website which handles all payment routing, tax collection, compliance, invoicing, subscription management, renewals, reporting, and fraud protection.
https://www.paddle.com/
Only got a C+ and failed in many ways on mozilla observatory check for Content Security Policy.
If they thought like you they would have been worried bald by now As a world wide payment service website.

First of all this is an off topic section any one can come an post. I do not need your permission.

2ndly,
What do you mean by radical conversion? I gave what ever I could. You are acting like as if every one is trying to hack websites now a days, what would they steal from you website, colors and text? How much does your website worth? are You running ecommerce website? Not one of this forum member has ever been hacked even with the lowest level of security! So get this straight. If you think you are more secure with your settings wait for the real hackers to come. They will raid your website and demand for money. Then you will realize how smart you are with your settings. Your A+ won't be able to protect you be sure... Some people think grades are everything at least those in school.

[Daniel Baran]

At wwonderfull:

Anyone reading this thread from the beginning can see how you
immediately began denigrating other peoples websites, popularity & SEO etc.
without adequate attention to what the thread was even about.
You also denigrated the need for even undertaking security header scrutiny.
Then, after having it explained to you, you pursued it directly.
While that pursuit is a good thing, you seem to have an inordinate need
to take ownership of this thread. That is not helping, please stop it.
While this is an "off-topic" section, it should be clear that remaining
"on-topic" within a thread is a good idea.

[Daniel Baran]

Adding:
I will be pausing any additional contribution here as long as such needless hostility and careless denigration is tolerated.
I'm not interested in petty squabbles.
DB

[BaconFries]

This thread has now been locked no 'New' posts can be made unless they are by Pablo or other Moderators on the original Topic.
BF (Baconfries) Moderator