[Support request] Vulnerability

Home Forums Support [Support request] Vulnerability

Home Forums Support Vulnerability

Viewing 12 posts - 1 through 12 (of 12 total)
  • Author
    Posts
  • #1645411
    Karsten

    Hey friends,

    our webpagetest looks great, only the security check is negative.

    Please check and advise.

    https://www.webpagetest.org/result/210201_DiHG_8bf47b17391ef5242553dcfcd06219eb/

    Thank you

    Best regards,

    Karsten

    #1645448
    David
    Staff
    Customer Support

    Hi there,

    if you click on the F rating icon it will take you to the vulnerability database with a list of the issues your site has:

    https://snyk.io/test/website-scanner/?test=210201_DiHG_8bf47b17391ef5242553dcfcd06219eb&utm_medium=referral&utm_source=webpagetest&utm_campaign=website-scanner

    Those are all related to your server setup, you should speak to your host about them, or look at adding a security plugin to resolve those issues.

    #1645454
    Karsten

    Hi David,

    thank you for your quick response. My host is wpEngine. I will talk to them. Have a nice weekend.

    Karsten

    #1645460
    Karsten

    Here is the answer from my host:

    I can add X-FRAME options for you, though it may not mesh with parts of the site depending on how you or your developer have set it up. As fro HSTS, the details for setting that up can be found here: https://wpengine.com/support/platform-settings/#Security_Headers under HSTS

    I can add the Nginx rule for that for you, however you would need to complete the set up as laid out in that article.

    Well all of those are optional, the security that we use on the server is quite robust, everything else is something that we would recommend you or another developer to investigate first, as it could cause issues with the site depending on how it’s set up. We can then add the headers at any time for you. There shouldn’t be any issue with me adding the X-Frame options for you at the moment if you’d like, then you or another developer would need to investigate the other options.

    #1645467
    Karsten

    The site is working smooth, however development work such as what I outlined is out of scope for us. You would need to get a developer to check your site to see what works with it in terms of security. I can add the security headers in that link you sent me, though I can’t guarantee that it won’t impact site functionality.

    #1645468
    Karsten

    But I can add them for you now if you would like them added anyway, there’s no problem there

    #1645475
    Karsten

    David, do you think we should add the security headers?

    #1645789
    David
    Staff
    Customer Support

    It’s not something i can’t advise upon without putting some liability on GP, as these settings really depend on the site they’re being applied to.

    Personal view: If the host says there are no issues adding them then its worth doing so. The one that is most likely to cause an issue is the Content Security Policy, if your site makes any requests to a 3rd party server then a blanket policy would stop them from loading, so any third party URLs that you want to trust would need to be included in the policy.

    #1645923
    Karsten

    Thank you, David

    #1646630
    David
    Staff
    Customer Support
    #1655022
    Karsten

    Just a short Update.

    WPengine was adding security headers. Now the security test looks good.

    https://www.webpagetest.org/result/210211_DiCD_9a33f369e8d255b76378876084487a29/

    #1655558
    David
    Staff
    Customer Support
Viewing 12 posts - 1 through 12 (of 12 total)
  • You must be logged in to reply to this topic.