zero-24 / plg_system_httpheader Goto Github PK

Hi,

I am trying to add a CSP to the subdomain ftp.[my-domain] and I was wondering how I can do it from the plugin configuration settings or if I can do it at all. I'm very new to all this, so sorry if it's an easy answer.

Thank you,

Dear sir

as my subject, my client server only avaliable for php 5.4 therefore, would you mind send me a httpHeader plugin for php 5.4 only

Thanks indeed

Fion

Can I just check that in order to update to the latest version I can simply download the latest version of the plugin, upload & install in my Joomla site and my existing version will be updated?

Thanks!

Hi. I am using J 3.5 and System - HTTPHeaders 1.0.17

I don't have a problem on other sites... just here. What can cause the PP not to be seen in the code? Can it cause tempalte? I'm not a security expert, I install this plugin automatically when I start a new website and I use the same settings for all websites (I have it saved in pspad).

Hi,

with the latest release I updated the language string for the Additional HTTP Header based on the Feedback I got by @brianteeman on the main repo, can you please send PRs or the new translation for the attached string so I can include them in the next release.
The main change was from additional to Force as in the end we force the headers you set here :)

Fell free to ask any questions that come up :)

Here are the new mention en-GB strings

PLG_SYSTEM_HTTPHEADER_ADDITIONAL_HEADER="Force HTTP Headers"
PLG_SYSTEM_HTTPHEADER_ADDITIONAL_HEADER_DESC="Using this you can set different values from the default ones and also force headers. The supported headers are: <br><ul><li>Strict-Transport-Security</li><li>Content-Security-Policy</li><li>Content-Security-Policy-Report-Only</li><li>X-Frame-Options</li><li>X-XSS-Protection</li><li>X-Content-Type-Options</li><li>Referrer-Policy</li><li>Expect-CT</li><li>Feature-Policy</li></ul>"

cc
for fr-FR @Sandra97 & @YGomiero
for it-IT @jeckodevelopment
for nl-NL by @pe7er

Thanks for all your translations! 👍

Great plugin!!

problem is that hashes do not match for all of my inline scripts (tested different sites).

resulted source-code:

index.php actual code:

plugin generated SHA:
'sha256-XI5T8OJWCoAGU2W72aYqY5yVhW6R4SBObwSw5/58qfk='

chrome (v91) console suggesed SHA:
'sha256-nkBC8t4FwQ13XFZT8S2npkwkSACUDGTSNQd5CXK1xq0='

thanks

Hello,

I have no experience using Joomla, but I ended up supporting one site powered by it... Today I upgraded to 3.9 from 3.5 and made some polishing. I wanted to add some security headers so I came across this plugin. Everything is working really well in administration part, but no headers are added for front end section. Would you please give me some pointer where do I need to look to find the cause?

Thank you, for your response and for the useful plugin.

Hi,

there's a great tool out there for Firefox that helps you set a base line for your CSP settings for a given site. It's really handy because it gives a great starting point.
https://addons.mozilla.org/en-US/firefox/addon/laboratory-by-mozilla/
It would be nice if the tool would be able to just accept the copied result from the addon and parse it... into a raw reply or into separate items.

Anyway, kudos and thank you for this addon!

Hi, just noted, that in all the langauges the language strings are missing for:

PLG_SYSTEM_HTTPHEADER_XFRAMEOPTIONS_DESC
PLG_SYSTEM_HTTPHEADER_XXSSPROTECTION_DESC
PLG_SYSTEM_HTTPHEADER_XCONTENTTYPEOPTIONS_DESC
PLG_SYSTEM_HTTPHEADER_REFERRERPOLICY_DESC

Thank you

Hello Zero24,

I've installed your plugin and noticed it is not taken into account when using a bought template. when activating the default template it works as expected.

Is there any code which a template would need to have in order to consider your plugin and get the expected outcome?

Kind regards,
Tim

Hi
PHP adds the header X-Powered-By and it seems to be recommended not to send this information.
Would it be possible to have an option to remove this header and perhaps any others that are not recommended?

Skip any processing in case we are not running on an html site
As csp is only relevant on html sites

If you disable "write headers to config. file", security headers lines remain in .htaccess/web.config file.
These lines won't be updated anymore if you update plugin's parameters, creating potential problems.

This isn't an issue, so feel free to label accordingly.

Firstly thank you for developing this plugin it's very useful and easy to use! :)

I use a third party service to monitor and audit my Joomla sites, this service has flagged the headers as an issue which is why I will be installing your plugin. However there is a note about plugins not being good enough as they only run when PHP is invoked, and more work is required to ensure security.

The note is;

Some Joomla Extensions/Plugins that allow you to add headers on responses will allow you to add this header HOWEVER THIS IS NOT GOOD ENOUGH as they only run when PHP is invoked. For the full protection this header has to be returned for EVERY REQUEST in a webspace, not just those that terminate through your index.php or php scripts. This is why our check looks at a 404 page, and not specifically your /index.php or homepage.

Does this mean that your plugin offers some protection. but I would still need to configure security at the web server (e.g. htaccess)?

I had planned to benchmark the results and effectiveness of the plugin on https://securityheaders.com I assume it will improve the current score.

Thanks
J

Hi,
after update the plugin to 1.0.7, my sites reports the follow php error:

`A PHP Exception occurred on your site. Here you can find the stack trace:

Exception Type: Error
File: /var/www/vhosts/domain.de/root/cms/plugins/system/httpheader/httpheader.php
Line: 194
Message: Call to undefined method Joomla\CMS\Document\FeedDocument::getHeadData()

#0 /var/www/vhosts/domain.de/root/cms/libraries/joomla/event/event.php(70): PlgSystemHttpHeader->onAfterRender()
#1 /var/www/vhosts/domain.de/root/cms/libraries/joomla/event/dispatcher.php(160): JEvent->update(Array)
#2 /var/www/vhosts/domain.de/root/cms/libraries/src/Application/BaseApplication.php(108): JEventDispatcher->trigger('onafterrender', Array)
#3 /var/www/vhosts/domain.de/root/cms/libraries/src/Application/CMSApplication.php(1050): Joomla\CMS\Application\BaseApplication->triggerEvent('onAfterRender')
#4 /var/www/vhosts/domain.de/root/cms/libraries/src/Application/SiteApplication.php(778): Joomla\CMS\Application\CMSApplication->render()
#5 /var/www/vhosts/domain.de/root/cms/libraries/src/Application/CMSApplication.php(202): Joomla\CMS\Application\SiteApplication->render()
#6 /var/www/vhosts/domain.de/root/cms/index.php(49): Joomla\CMS\Application\CMSApplication->execute()
#7 {main}

Request information
GET variables

Array
(
[format] => feed
[type] => atom
)

POST variables

Array
(
)

COOKIE variables

Array
(
)

REQUEST variables

Array
(
[format] => feed
[type] => atom
[Itemid] => 111
[option] => com_content
[view] => category
[layout] => blog
[id] => 10
[limit] => 10
)

SERVER variables

Array
(
[PATH] => /sbin:/usr/sbin:/bin:/usr/bin
[PP_CUSTOM_PHP_INI] => /var/www/vhosts/system/domain.de/etc/php.ini
[PP_CUSTOM_PHP_CGI_INDEX] => plesk-php73-fastcgi
[SCRIPT_NAME] => /index.php
[REQUEST_URI] => /notizen?format=feed&type=atom
[QUERY_STRING] => format=feed&type=atom
[REQUEST_METHOD] => GET
[SERVER_PROTOCOL] => HTTP/1.0
[GATEWAY_INTERFACE] => CGI/1.1
[REDIRECT_URL] => /notizen
[REDIRECT_QUERY_STRING] => format=feed&type=atom
[REMOTE_PORT] => 53202
[SCRIPT_FILENAME] => /var/www/vhosts/domain.de/root/cms/index.php
[SERVER_ADMIN] => root@localhost
[DOCUMENT_ROOT] => /var/www/vhosts/domain.de/root/cms
[REMOTE_ADDR] => 157.55.39.178
[SERVER_PORT] => 443
[SERVER_ADDR] => 128.127.71.239
[SERVER_NAME] => www.domain.de
[SERVER_SOFTWARE] => Apache
[SERVER_SIGNATURE] =>
[HTTP_USER_AGENT] => Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)
[HTTP_ACCEPT_ENCODING] => gzip, deflate
[HTTP_ACCEPT] => /
[HTTP_PRAGMA] => no-cache
[HTTP_CACHE_CONTROL] => no-cache
[HTTP_CONNECTION] => close
[HTTP_X_ACCEL_INTERNAL] => /internal-nginx-static-location
[HTTP_X_FORWARDED_FOR] => 157.55.39.178
[HTTP_X_REAL_IP] => 157.55.39.178
[HTTP_HOST] => www.domain.de
[HTTPS] => on
[UNIQUE_ID] => XWN6fYB-R@6BBFO9M4wBBBBBG
[REDIRECT_STATUS] => 200
[REDIRECT_HTTPS] => on
[REDIRECT_HTTP_AUTHORIZATION] =>
[REDIRECT_UNIQUE_ID] => XVN8fYB-R@8AAFO9M4wAAAAG
[FCGI_ROLE] => RESPONDER
[PHP_SELF] => /index.php
[REQUEST_TIME_FLOAT] => 1565752445.333
[REQUEST_TIME] => 1565752445
)
`

WBR,
deltapapa

Hi,
after update to 1.0.7 my Exceptions Graph from Admin Tools not longer working:

Disable the plugin solved the prob....

WBR,
deltapapa

On my Nginx server I have already configured some HTTP Security headers.

• Clickjacking Protection
• Cross-site scripting (XSS) Protection
• Mime Sniffing Protection

Using HttpHeader Plugin version 1.0.12 at the same time might give double entries in the HTTP header.

However, a double X-XSS-Protection will trigger the following error in the browser Console:

Error parsing header X-XSS-Protection: 1; mode=block, 1; mode=block: expected semicolon at character position 13. The default protections will be applied.

I am not sure if an automatic check is possible and/or desirable. Maybe you could put a short note in the documentation.

I am not sure if this feature fits within the scope of this plugin :-)

I would like to add a http header for "HttpOnly cookies" as described in

• https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#Secure_and_HttpOnly_cookies

The plugin has an option to specify & force HTTP headers.
However, for this HttpOnly cookies specification, you'll need the cookie name + value (which both can change).

Is is possible (and useful) to add this option, together with retrieving the right names + values from Joomla?

Thanks!

Hi
Would it be possible to add support for Permissions-Policy

Permissions Policy is a new header that allows a site to control which features and APIs can be used in the browser.
https://scotthelme.co.uk/goodbye-feature-policy-and-hello-permissions-policy/

Matthew

Hi,

Just coming up to speed on response headers - all new to me. So looked around for potential solutions to apply header security to my pre V4 Joomla sites. So proceeded to test this "http header" plugin on one of my sites: nzjoomla.co.nz
PHP: 7.3.25
Joomla: 3.10.2

I downloaded and installed the plugin - enabled default and then checked it at: https://securityheaders.com which gave it a poor result - no headers.

However - no security headers appeared. So changed the template to a Joomla default and re-tested, again no headers appeared.
Removed and the reinstalled the plugin (enabled) and retested - no change.

Would be keen to get this plugin successfully tested on my joomla installation so I can look at applying it elsewhere. So hope you can assist.

Thanks
Henk

Why still this warning:

Referrer-Policy | You should explicitly set your Referrer Policy.

If say clear I have set up this directive:

Hello :)
I'm almost sure that is due to my plugin configuration.
So a bit of information about the scenario.

RSS Feeds

they are generated for Joomla categories of articles.
URL format is the following
The site is using "Legacy Routing".

[SITE URL]/notizie.feed?type=rss

Plugin Configuration

• X-Frame-Options: Enabled
• X-XSS-Protection: Enabled
• Referrer-Policy: no-referrer-when-downgrade

Additional HTTP headers:
Header: Feature-Policy
Value: geolocation 'none'
Site-only

• HTTP Strict Transport Security (HSTS): Enabled
• Max Time: 31536000
• Subdomains: enabled
• Preload: disabled

CSP: Enabled
Report-Only: Disabled
Script hashes: Disabled
Style hashes: Disabled

Policies enabled:

• default-src
• script-src
• style-src
• img-src
• font-src
• media-src
• form-action
• upgrade-insecure-requests
• block-all-mixed-content

What is wrong? :)
Disabling the plugin restore feed functionality.

If you have enabled the site cache plugin, headers are set double at second page reload.

What I was expect was that headers are set only once like this:

What I got is this

How to reproduce
Just activate the site cache plugin and reload the site twice
Checked on multiple sites

If you disable the site cache plugin, headers are set as expected at every reload

My environment
PHP 7.2.10 FPM-CGI
Apache 2.4
MySQL 5.7
Cache backend: APCu

Hi,
I think a small bug has crept in. The update from 1.0.11 to 1.0.12 runs smoothly, but I still see it as an update in the backend afterwards. Under Extensions / Manage, the plugin is also shown to me after 1.0.11 after the update.

WBR,
deltapapa

What would cause this plugin to stop working? None of the code is showing up on my website headers?

Everything is enabled and it's the latest version https://github.com/zero-24/plg_system_httpheader
I've uninstalled and reinstalled the plugin, but still no luck

Using Joomla 3.10 (to be upgraded), PHP8

I moved to Joomla4 recently. My observation was that many plugins are not CSP friendly. They write <script> in the body and also use inline event handler sparingly.

This httpheader plugin is great but still I encountered 2 issues before I can set the policy out of report-only:

1. It seems to me that this plugin generates "nonce" for scripts in the "head" only. <script> inside the "body" are not treated.
2. keyword {nonce} does not work in script-src-elem for "unknown reason".

I can workaround these issues by calculating the "sha265-" hashes myself and put the hashes in script-src for inline<script> in the body and 'unsafe-hashes' for inline event handler.

These workarounds work in Chrome and Edge but not Firefox.

Firefox does not support script-src-elem, script-src-atr nor 'unsafe-hashes' at all. The only way for the site to wok for Firefox, unless they change, is to put 'unsafe-inline' in the script-src. Any nonce or hashes there in script-src will void the 'unsafe-inline'.

Ideally the setting that works for Chrome, Edge and Firefox with best XSS protection are:
script-src: 'self' 'unsafe-inline'
script-src-elem: 'self' {nonce} and my manual 'sha265-hashes'
script-src-atr: my manual 'sha265-hashes' for inline event handler.

My requests are:

1. Make {nonce} work for script-src-elem. This is critical for a workable solution that works across main browsers.
2. Optionally if the plugin nonce can cover inline <script> in the body that can save one from sha256 hashes.

Add to custom header dropdown