Does this app even work?

  • Resolved sscott1

    (@sscott1)


    3 years, 7 months ago

    We requested an IBM app scan and failed to pass. We had problems with security headers, CORS policy, enforcing Encryption, etc, all things that Defender is designed to address. I looked in the defender app and noticed that that the appropriate switches were disabled. I turned them all on and re-requested the scan. And I was embarrassed to learn that we went from 135 vulnerabilities to 134. It was as if the switches did nothing at all! Is there something I am missing?

    Before:
    http://prntscr.com/uf8u14

    After:
    http://prntscr.com/uf8uab

    • This topic was modified 3 years, 7 months ago by sscott1.
Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Support Adam – WPMU DEV Support

    (@wpmudev-support8)

    3 years, 7 months ago

    Hi @sscott1

    I hope you’re well today!

    Out of all the issues listed on these screenshot, the ones related to Defender would be related to “security headers”. I’m not quite sure though what this report shows. I mean – it shows “number of issues” so was each and every page on site checked?

    If yes, it most likely means that the issue with given header was encountered on some pages only and that could also mean some conflict. Some known “conflicts” of that kind are that

    1) in some cases a CDN (or some other proxy) – if you are using it – might be overriding headers; are you using CloudFlare or any other CDN of that kind for the site?

    2) in some cases cache is “breaking” the headers so if there’s any caching plugin active, please check if clearing cache and temporarily disabling it makes any difference

    Could you check it and let us know about results?

    Kind regards,
    Adam

    Thread Starter sscott1

    (@sscott1)

    3 years, 7 months ago

    Ah server-side caching. That might be it. Let me work on it and I will report back the results.

    Thread Starter sscott1

    (@sscott1)

    3 years, 7 months ago

    I was using WP Engine. It seems they strip out the headers and replace it with their own. In order to get the headers to work I had to ask WP Engine to insert them on their end (NGINX).

    Plugin Support Adam – WPMU DEV Support

    (@wpmudev-support8)

    3 years, 7 months ago

    Hi @sscott1

    Thanks for getting back to me!

    And yes, unfortunately, it is sometimes the case that hosts do “force” headers the way they think is best which sometimes isn’t really the way you’d want them. Defender sets them on “site level” so obviously it can’t override “hard coded”/”enforced” server configuration.

    However, I wouldn’t put the “blame” on host as it might as well be quite often result or “side effect” of general configuration and overall security policy (as in e.g. “not allowing to change certain aspects of configuration” or “not allowing to edit certain configuration files”) – so all in all it’s “for greater good” 🙂

    But I understand that they made requested changes for you and that solve the issue then, right?

    Best regards,
    Adam

    Thread Starter sscott1

    (@sscott1)

    3 years, 7 months ago

    Yes they were able to add the headers on their end. Thank you for your support.

    Plugin Support Saurabh – WPMU DEV Support

    (@wpmudev-support7)

    3 years, 7 months ago

    Hello @sscott1,

    It is great to know that they were able to add the header and it worked for you. For now, as this worked out, I would mark this issue as resolved but should you have any doubts or need any help, please feel free to raise a fresh thread and we would be happy to help.

    Thank you,
    Prathamesh Palve

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Does this app even work?’ is closed to new replies.