X-XSS-Protection Header Missing Rapid Weaver 8


(Bernard Horsford) #1

There is problem in the Rapid Weaver 8 website that I have using the Voyager theme, in that the crawl reports from two independent site optimisation companies are telling me that the X-XSS protection header is missing. I should be grateful if you can let me know how this can be rectified as it is causing search problems.


Non-script Tag is Missing in Rapid Weaver 8
(...) #2

THIS IS DANGEROUS!`

You will need to apply this to your .htaccess file. It can be in the header of your themes but if you edit that and then later update the theme you will loose it and have to reenter. This is once and forget, though it will very slightly slow down server response time.

This will give you an A+ in security (https://securityheaders.com) but it MAY also deny certain scripts from running on your website or mess with preview in RapidWeaver.

<IfModule mod_headers.c>
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS
Header always set Referrer-Policy "same-origin"
Header always set X-Frame-Options "sameorigin"
Header always set Content-Security-Policy "default-src 'self' https://yourdomain.com https://*.yourdomain.com https: data:"
Header always set Feature-Policy "vibrate 'self'; microphone 'none'; sync-xhr 'self' https://yourdomain.com"
</IfModule>

If it does break things try to replace this line default-src 'self' https://yourdomain.com https://*.yourdomain.com https: data:"with the following "default-src 'self' 'unsafe-inline' https://yourdomain.com https://*.yourdomain.com https: data:" This will reduce you to an A but you will still have a working website.

If something else is broken you should eliminate one line at a time and until you find the issue. There are a lot of possible combinations that can be made to achieve similar results so a lot of research might be necessary.

REMEMBER THIS IS DANGEROUS!`

EDIT: This applies to Apache Servers only!


(Bernard Horsford) #3

Ok, so if this is dangerous there must be a safe work around as It would not be reported as a problem in the site health check reports. Is this particular to RapidWeaver?


(...) #4

I don’t know of a safe workaround.

Anytime you start messing with security you take the chance of not only locking others out but yourself too. Only make these changes with a FTP client and stay logged in as you test your website. Make a change…test Make a change…test Make a change…test until you get the results you want.

Perhaps others have a better idea.


(...) #5

I just edited this htaccess file addition. This version is slightly more secure. Please note the addition of the…

https://yourdomain.com
https://*.yourdomain.com

Change any and all occurrences of those to your real domain name with the structure you have assigned for your website, such as www. or no www., etc.


(system) #6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.