prevent hotlink to js and css

Resolved w3dzign
(@w3dzign)

8 years, 1 month ago

Hi i have a site and recently run a ethical hacking excerscise and in the vulnerabilities has 2 mayor and i think you can help me with both

1 is the HTML form without CSRF protection (1)
2 is Vulnerable Javascript library (2)

so i read the best practices to make a strong htaccess file
and this make half of the job
RewriteRule ^(.*)\.(|css|js)$ /public/$1.$2 [L,NC]
but when i enable this my site dont load any of this files i want to prevent only to enter directly to the js and css files but when my page loads graphically it looks ugly because this files never load.

and for the csrf protection i read your plugin do the job to prevent this
i want to know how can enable this feature
or can you give me technical details how to work the csrf protection in the plugin?

because i need to give a valid argument if i dont put nonce what we do to prevent this

thank you

https://wordpress.org/plugins/bulletproof-security/

Viewing 6 replies - 1 through 6 (of 6 total)

Plugin Author AITpro
(@aitpro)

8 years, 1 month ago

1. The BPS CSRF protection is enabled by default when you run the BPS Setup Wizard.
2. The RewriteRule that you posted will probably not work for WordPress so I am assuming you found that information for another site type that is not a WordPress site type. You do not need to protect CSS files since they are not exploited. BPS already has protection against js scripts exploitation so you do not need to add anything else/add additional custom htaccess code.

Thread Starter w3dzign
(@w3dzign)

8 years, 1 month ago

can you give me more technical details about csrf protection? and in other hand i atatch the results of the scan we have 1 red issue about the js libraries and last one the bulletproof add a cookie they ask me to make all the cookies http only and secure so if this is no necesary can you help me with technical details aboyt why isnt necesary? thanks for all your help

Plugin Author AITpro
(@aitpro)

8 years, 1 month ago

CSRF Owasp Wiki:
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

There are several things in BPS that protect against CSRF exploitation. At the current time there is no pre-made list that lists all of those things so I cannot offer any more BPS plugin specific details about included CSRF protection in BPS.

The screenshot you posted is for AcuSensor so what you would need to do is to find out exactly what AcuSensor is seeing as things that need to be secured/fixed/etc. Different scanners may see different possible issues/problems so you would need to figure out specifically what AcuSensor is seing as something that needs additional security measures/protection.

Plugin Author AITpro
(@aitpro)

8 years, 1 month ago

Also you can add any additional VALID custom htaccess code that you need or want to add to BPS Custom Code. The code must be valid/good of course and not bad or invalid code or you will run into website problems.

Plugin Author AITpro
(@aitpro)

8 years, 1 month ago

Do you have any other questions or can this thread be resolved? Thanks.

Thread Start Date: 2-27-2016 to 2-28-2016
Current Date: 3-1-2016

Plugin Author AITpro
(@aitpro)

8 years, 1 month ago

Assuming all questions have been answered – the thread has been resolved. If you have additional questions about this specific thread topic then you can post them at any time. We still receive email notifications when threads have been resolved.

Thread Start Date: 2-27-2016 to 2-28-2016
Thread Resolved/Current Date: 3-2-2016

Viewing 6 replies - 1 through 6 (of 6 total)

The topic ‘prevent hotlink to js and css’ is closed to new replies.

Tags