Adding Response Headers for Security
Permalink
I'm looking to add some HTTP Response Headers for security, such as the ones below. I don't see a place within the Concrete5 front end to add these headers, and can't seem to find the file they're generated from while digging around in the back end. What's the best practice here?
(Examples copied fromhttp://securityheaders.io )
(Examples copied fromhttp://securityheaders.io )
strict-transport-security: max-age=31536000; includeSubDomains x-frame-options: SAMEORIGIN X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff
We do set x-frame-options, but the other ones aren't set by default (I don't think) but you can pretty easily set the via a middleware, this is the one for x-frame-options:https://github.com/concrete5/concrete5/blob/develop/concrete/src/Htt...
If you are using apache you can add them by editing .htaccess file. See the link below. It is about word press but same applies to C5 as well.
https://www.tripwire.com/state-of-security/risk-based-security-for-e...
https://www.tripwire.com/state-of-security/risk-based-security-for-e...
There actually a free add-on for that:https://www.concrete5.org/marketplace/addons/http-headers...
I've been playing with the .htaccess settings for few weeks, didn't quite get all the green lights. Finding this thread and then using the add-on has been a massive boost and is so easy to set up. Headache over. Thank you.
BTW: The site in question is using c5 8.5.4, PHP 7.4.14, Server ‘LightSpeed’ and ‘https://www.webpagetest.org/' gives ‘A’ for all except first time byte.
