Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

can you help me interpret mozilla rating of phpfox for some fixes ? #2907

Open
spirogg opened this issue Jun 1, 2020 · 3 comments
Open

can you help me interpret mozilla rating of phpfox for some fixes ? #2907

spirogg opened this issue Jun 1, 2020 · 3 comments
Labels
Q&A

Comments

@spirogg
Copy link

spirogg commented Jun 1, 2020

Important

Please follow this template!

What's happened?

...

  • I found mozilla site that grades the phpfox script / demo site

  • can you interpret if we need to be adding or deleting some things to create a better and safer experience for admins and users of phpfox

Steps to reproduce:

  1. https://observatory.mozilla.org/analyze/v4.phpfox.com
  2. https://securityheaders.com/?followRedirects=on&hide=on&q=v4.phpfox.com

What's expected?

... seems they rate the site of demo poorly can we improve this somehow ?

Browsers and Devices tested

(Example: Chrome on iPhone X, Safari on Macbook, Miscrosoft Edge on Windown 10, Firefox on Ubuntu 16.04, ...)

...

Server information

(Example: CentOS 7, php 7.1 apache)

...

phpFox version

(Example: phpFox 4.6.0)

... your demo site

Screenshots

...
@spirogg spirogg changed the title can you help me interpretmozillarating of phpfox for some fixes ? can you help me interpret mozilla rating of phpfox for some fixes ? Jun 1, 2020
@daniol
Copy link

daniol commented Jul 10, 2020
edited
Loading

I improved it manually adding the following to the beginning of index.php:

ini_set('session.cookie_httponly',1);
ini_set('session.use_strict_mode', 1);
ini_set('session.cookie_secure',1);
ini_set('session.cookie_samesite',"Strict");

I also added this to .htaccess to cover all other settings:

# Only allow loading of resources over https, however allow phpfox inline script/css
Header set Content-Security-Policy "default-src 'none'; script-src https: 'unsafe-eval' 'unsafe-inline'; img-src https: data:; object-src 'none'; frame-ancestors 'self'; base-uri 'self'; form-action 'self'; style-src https: 'unsafe-inline'; media-src https:; font-src https:; connect-src https:; child-src https:; frame-src https:"

# Only connect to this site and subdomains via HTTPS for the next two years
Header set Strict-Transport-Security "max-age=63072000; includeSubDomains"

# Prevent browsers from incorrectly detecting non-scripts as scripts
Header set X-Content-Type-Options "nosniff"

# Only allow my site to frame itself
Header set X-Frame-Options "SAMEORIGIN"

# Block pages from loading when they detect reflected XSS attacks
Header set X-XSS-Protection "1; mode=block"

I guess the phpfox team could add that easily settings in the core. Some of them apply only if the website is set up for HTTPS.

However, the maximum rating you will get with this is a B. phpfox uses currently a lot of inline javascript code, which makes it insecure per definition. They should stop using this bad practice and use only external javascript code. For generating javascript code from PHP (for example, for text translations) they could simply use an external script handler:

<script src="generate_js.php"></script>

The same applies for inline CSS.

@harrison05 harrison05 added the Q&A label Jul 14, 2020
@PhpFoxJohnJr
Copy link

Daniol, you are a genius! Thanks.

@spirogg
Copy link
Author

spirogg commented Feb 5, 2021

@harrison05 are you guys working on better handling javascript code, and do some changes so we can have faster load times and less browser errors ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Q&A
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@daniol @PhpFoxJohnJr @spirogg @harrison05