zero-24 / plg_system_httpheader Goto Github PK
View Code? Open in Web Editor NEWThis is a Joomla Plugin that provides setting of HTTP Headers
This is a Joomla Plugin that provides setting of HTTP Headers
Hi,
I am trying to add a CSP to the subdomain ftp.[my-domain] and I was wondering how I can do it from the plugin configuration settings or if I can do it at all. I'm very new to all this, so sorry if it's an easy answer.
Thank you,
Dear sir
as my subject, my client server only avaliable for php 5.4 therefore, would you mind send me a httpHeader plugin for php 5.4 only
Thanks indeed
Fion
Can I just check that in order to update to the latest version I can simply download the latest version of the plugin, upload & install in my Joomla site and my existing version will be updated?
Thanks!
Hi. I am using J 3.5 and System - HTTPHeaders 1.0.17
I don't have a problem on other sites... just here. What can cause the PP not to be seen in the code? Can it cause tempalte? I'm not a security expert, I install this plugin automatically when I start a new website and I use the same settings for all websites (I have it saved in pspad).
Hi,
with the latest release I updated the language string for the Additional HTTP Header
based on the Feedback I got by @brianteeman on the main repo, can you please send PRs or the new translation for the attached string so I can include them in the next release.
The main change was from additional
to Force
as in the end we force the headers you set here :)
Fell free to ask any questions that come up :)
Here are the new mention en-GB strings
PLG_SYSTEM_HTTPHEADER_ADDITIONAL_HEADER="Force HTTP Headers"
PLG_SYSTEM_HTTPHEADER_ADDITIONAL_HEADER_DESC="Using this you can set different values from the default ones and also force headers. The supported headers are: <br><ul><li>Strict-Transport-Security</li><li>Content-Security-Policy</li><li>Content-Security-Policy-Report-Only</li><li>X-Frame-Options</li><li>X-XSS-Protection</li><li>X-Content-Type-Options</li><li>Referrer-Policy</li><li>Expect-CT</li><li>Feature-Policy</li></ul>"
cc
for fr-FR @Sandra97 & @YGomiero
for it-IT @jeckodevelopment
for nl-NL by @pe7er
Thanks for all your translations! 👍
Great plugin!!
problem is that hashes do not match for all of my inline scripts (tested different sites).
resulted source-code:
<script> jQuery.event.special.touchstart = {setup:function(_,ns,handle){if(ns.includes("noPreventDefault")){this.addEventListener("touchstart",handle,{passive:false});}else{this.addEventListener("touchstart",handle,{passive:true});}}}; </script>index.php actual code:
addScriptDeclaration('jQuery.event.special.touchstart = {setup:function(_,ns,handle){if(ns.includes("noPreventDefault")){this.addEventListener("touchstart",handle,{passive:false});}else{this.addEventListener("touchstart",handle,{passive:true});}}};');?>plugin generated SHA:
'sha256-XI5T8OJWCoAGU2W72aYqY5yVhW6R4SBObwSw5/58qfk='
chrome (v91) console suggesed SHA:
'sha256-nkBC8t4FwQ13XFZT8S2npkwkSACUDGTSNQd5CXK1xq0='
thanks
Hello,
I have no experience using Joomla, but I ended up supporting one site powered by it... Today I upgraded to 3.9 from 3.5 and made some polishing. I wanted to add some security headers so I came across this plugin. Everything is working really well in administration part, but no headers are added for front end section. Would you please give me some pointer where do I need to look to find the cause?
Thank you, for your response and for the useful plugin.
Hi,
there's a great tool out there for Firefox that helps you set a base line for your CSP settings for a given site. It's really handy because it gives a great starting point.
https://addons.mozilla.org/en-US/firefox/addon/laboratory-by-mozilla/
It would be nice if the tool would be able to just accept the copied result from the addon and parse it... into a raw reply or into separate items.
Anyway, kudos and thank you for this addon!
Hello Zero24,
I've installed your plugin and noticed it is not taken into account when using a bought template. when activating the default template it works as expected.
Is there any code which a template would need to have in order to consider your plugin and get the expected outcome?
Kind regards,
Tim
Hi
PHP adds the header X-Powered-By and it seems to be recommended not to send this information.
Would it be possible to have an option to remove this header and perhaps any others that are not recommended?
Skip any processing in case we are not running on an html site
As csp is only relevant on html sites
If you disable "write headers to config. file", security headers lines remain in .htaccess/web.config file.
These lines won't be updated anymore if you update plugin's parameters, creating potential problems.
This isn't an issue, so feel free to label accordingly.
Firstly thank you for developing this plugin it's very useful and easy to use! :)
I use a third party service to monitor and audit my Joomla sites, this service has flagged the headers as an issue which is why I will be installing your plugin. However there is a note about plugins not being good enough as they only run when PHP is invoked, and more work is required to ensure security.
The note is;
Some Joomla Extensions/Plugins that allow you to add headers on responses will allow you to add this header HOWEVER THIS IS NOT GOOD ENOUGH as they only run when PHP is invoked. For the full protection this header has to be returned for EVERY REQUEST in a webspace, not just those that terminate through your index.php or php scripts. This is why our check looks at a 404 page, and not specifically your /index.php or homepage.
Does this mean that your plugin offers some protection. but I would still need to configure security at the web server (e.g. htaccess)?
I had planned to benchmark the results and effectiveness of the plugin on https://securityheaders.com I assume it will improve the current score.
Thanks
J
Hi,
after update the plugin to 1.0.7, my sites reports the follow php error:
`A PHP Exception occurred on your site. Here you can find the stack trace:
Exception Type: Error
File: /var/www/vhosts/domain.de/root/cms/plugins/system/httpheader/httpheader.php
Line: 194
Message: Call to undefined method Joomla\CMS\Document\FeedDocument::getHeadData()
#0 /var/www/vhosts/domain.de/root/cms/libraries/joomla/event/event.php(70): PlgSystemHttpHeader->onAfterRender()
#1 /var/www/vhosts/domain.de/root/cms/libraries/joomla/event/dispatcher.php(160): JEvent->update(Array)
#2 /var/www/vhosts/domain.de/root/cms/libraries/src/Application/BaseApplication.php(108): JEventDispatcher->trigger('onafterrender', Array)
#3 /var/www/vhosts/domain.de/root/cms/libraries/src/Application/CMSApplication.php(1050): Joomla\CMS\Application\BaseApplication->triggerEvent('onAfterRender')
#4 /var/www/vhosts/domain.de/root/cms/libraries/src/Application/SiteApplication.php(778): Joomla\CMS\Application\CMSApplication->render()
#5 /var/www/vhosts/domain.de/root/cms/libraries/src/Application/CMSApplication.php(202): Joomla\CMS\Application\SiteApplication->render()
#6 /var/www/vhosts/domain.de/root/cms/index.php(49): Joomla\CMS\Application\CMSApplication->execute()
#7 {main}
Request information
GET variables
Array
(
[format] => feed
[type] => atom
)
POST variables
Array
(
)
COOKIE variables
Array
(
)
REQUEST variables
Array
(
[format] => feed
[type] => atom
[Itemid] => 111
[option] => com_content
[view] => category
[layout] => blog
[id] => 10
[limit] => 10
)
SERVER variables
Array
(
[PATH] => /sbin:/usr/sbin:/bin:/usr/bin
[PP_CUSTOM_PHP_INI] => /var/www/vhosts/system/domain.de/etc/php.ini
[PP_CUSTOM_PHP_CGI_INDEX] => plesk-php73-fastcgi
[SCRIPT_NAME] => /index.php
[REQUEST_URI] => /notizen?format=feed&type=atom
[QUERY_STRING] => format=feed&type=atom
[REQUEST_METHOD] => GET
[SERVER_PROTOCOL] => HTTP/1.0
[GATEWAY_INTERFACE] => CGI/1.1
[REDIRECT_URL] => /notizen
[REDIRECT_QUERY_STRING] => format=feed&type=atom
[REMOTE_PORT] => 53202
[SCRIPT_FILENAME] => /var/www/vhosts/domain.de/root/cms/index.php
[SERVER_ADMIN] => root@localhost
[DOCUMENT_ROOT] => /var/www/vhosts/domain.de/root/cms
[REMOTE_ADDR] => 157.55.39.178
[SERVER_PORT] => 443
[SERVER_ADDR] => 128.127.71.239
[SERVER_NAME] => www.domain.de
[SERVER_SOFTWARE] => Apache
[SERVER_SIGNATURE] =>
[HTTP_USER_AGENT] => Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)
[HTTP_ACCEPT_ENCODING] => gzip, deflate
[HTTP_ACCEPT] => /
[HTTP_PRAGMA] => no-cache
[HTTP_CACHE_CONTROL] => no-cache
[HTTP_CONNECTION] => close
[HTTP_X_ACCEL_INTERNAL] => /internal-nginx-static-location
[HTTP_X_FORWARDED_FOR] => 157.55.39.178
[HTTP_X_REAL_IP] => 157.55.39.178
[HTTP_HOST] => www.domain.de
[HTTPS] => on
[UNIQUE_ID] => XWN6fYB-R@6BBFO9M4wBBBBBG
[REDIRECT_STATUS] => 200
[REDIRECT_HTTPS] => on
[REDIRECT_HTTP_AUTHORIZATION] =>
[REDIRECT_UNIQUE_ID] => XVN8fYB-R@8AAFO9M4wAAAAG
[FCGI_ROLE] => RESPONDER
[PHP_SELF] => /index.php
[REQUEST_TIME_FLOAT] => 1565752445.333
[REQUEST_TIME] => 1565752445
)
`
WBR,
deltapapa
On my Nginx server I have already configured some HTTP Security headers.
Using HttpHeader Plugin version 1.0.12 at the same time might give double entries in the HTTP header.
However, a double X-XSS-Protection will trigger the following error in the browser Console:
Error parsing header X-XSS-Protection: 1; mode=block, 1; mode=block: expected semicolon at character position 13. The default protections will be applied.
I am not sure if an automatic check is possible and/or desirable. Maybe you could put a short note in the documentation.
I am not sure if this feature fits within the scope of this plugin :-)
I would like to add a http header for "HttpOnly cookies" as described in
The plugin has an option to specify & force HTTP headers.
However, for this HttpOnly cookies specification, you'll need the cookie name + value (which both can change).
Is is possible (and useful) to add this option, together with retrieving the right names + values from Joomla?
Thanks!
Hi
Would it be possible to add support for Permissions-Policy
Permissions Policy is a new header that allows a site to control which features and APIs can be used in the browser.
https://scotthelme.co.uk/goodbye-feature-policy-and-hello-permissions-policy/
Matthew
Hi,
Just coming up to speed on response headers - all new to me. So looked around for potential solutions to apply header security to my pre V4 Joomla sites. So proceeded to test this "http header" plugin on one of my sites: nzjoomla.co.nz
PHP: 7.3.25
Joomla: 3.10.2
I downloaded and installed the plugin - enabled default and then checked it at: https://securityheaders.com which gave it a poor result - no headers.
However - no security headers appeared. So changed the template to a Joomla default and re-tested, again no headers appeared.
Removed and the reinstalled the plugin (enabled) and retested - no change.
Would be keen to get this plugin successfully tested on my joomla installation so I can look at applying it elsewhere. So hope you can assist.
Thanks
Henk
Hello :)
I'm almost sure that is due to my plugin configuration.
So a bit of information about the scenario.
they are generated for Joomla categories of articles.
URL format is the following
The site is using "Legacy Routing".
[SITE URL]/notizie.feed?type=rss
no-referrer-when-downgrade
Additional HTTP headers:
Header: Feature-Policy
Value: geolocation 'none'
Site-only
CSP: Enabled
Report-Only: Disabled
Script hashes: Disabled
Style hashes: Disabled
Policies enabled:
What is wrong? :)
Disabling the plugin restore feed functionality.
If you have enabled the site cache plugin, headers are set double at second page reload.
What I was expect was that headers are set only once like this:
How to reproduce
Just activate the site cache plugin and reload the site twice
Checked on multiple sites
If you disable the site cache plugin, headers are set as expected at every reload
My environment
PHP 7.2.10 FPM-CGI
Apache 2.4
MySQL 5.7
Cache backend: APCu
Hi,
I think a small bug has crept in. The update from 1.0.11 to 1.0.12 runs smoothly, but I still see it as an update in the backend afterwards. Under Extensions / Manage, the plugin is also shown to me after 1.0.11 after the update.
WBR,
deltapapa
What would cause this plugin to stop working? None of the code is showing up on my website headers?
Everything is enabled and it's the latest version https://github.com/zero-24/plg_system_httpheader
I've uninstalled and reinstalled the plugin, but still no luck
Using Joomla 3.10 (to be upgraded), PHP8
I moved to Joomla4 recently. My observation was that many plugins are not CSP friendly. They write <script> in the body and also use inline event handler sparingly.
This httpheader plugin is great but still I encountered 2 issues before I can set the policy out of report-only:
I can workaround these issues by calculating the "sha265-" hashes myself and put the hashes in script-src for inline<script> in the body and 'unsafe-hashes' for inline event handler.
These workarounds work in Chrome and Edge but not Firefox.
Firefox does not support script-src-elem, script-src-atr nor 'unsafe-hashes' at all. The only way for the site to wok for Firefox, unless they change, is to put 'unsafe-inline' in the script-src. Any nonce or hashes there in script-src will void the 'unsafe-inline'.
Ideally the setting that works for Chrome, Edge and Firefox with best XSS protection are:
script-src: 'self' 'unsafe-inline'
script-src-elem: 'self' {nonce} and my manual 'sha265-hashes'
script-src-atr: my manual 'sha265-hashes' for inline event handler.
My requests are:
Add to custom header dropdown
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.