Support » Plugin: All In One WP Security & Firewall » Various protection

  • Resolved tzshng

    (@tzshng)


    I understand this topic has closed. But when Webpagetest tool including this security test, it is making my boss and others panic about the result “F”.

    This is the topic I’m referring to:
    https://wordpress.org/support/topic/suggestion-to-include-various-header-instructions/

    I manage to research a little, all it need is insert additional line in htaccess only.

    Why not AIO seuciry have this as built in features?

    Some issues detected are:
    – Clickjacking
    – Common Administration Interfaces
    – X-Frame-Options header not implemented
    – Content Security Policy (CSP) header not implemented
    – X-XSS-Protection header not implemented
    – HTTP Strict Transport Security (HSTS) header not implemented
    – Cross Domain JavaScript Source File Inclusion

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Contributor mbrsolution

    (@mbrsolution)

    Hi, thank you for reaching out to us and making those suggestions. I have submitted a message to the developers to investigate further your request.

    Kind regards

    Thread Starter tzshng

    (@tzshng)

    Here are some of the htaccess code I insert into the custom rules and seems to fix most of the problem I reported earlier.

    RewriteCond %{HTTPS} off
    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
    Header Set Strict-Transport-Security: max-age= 31536000;
    Content-Security-Policy: default-src https:

    <IfModule mod_headers.c>
    Header set X-XSS-Protection “1; mode=block”
    Header always append X-Frame-Options SAMEORIGIN
    Header set X-Content-Type-Options nosniff
    </IfModule>
    ServerSignature Off`

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Various protection’ is closed to new replies.