Security issues
Author: Nektarios K.Hi there,
I did a test on my website via webpagetest.org and show me some security issues.
The following security headers are missing from the website:
Strict Transport Security
An HSTS Policy informing the HTTP client how long to cache the HTTPS-only policy and whether this applies to subdomains.
X Content-Type Options
The only defined value, "nosniff", prevents Internet Explorer from MIME-sniffing a response away from the declared content-type. This also applies to Google Chrome, when downloading extensions
X Frame Options
Clickjacking protection: deny - no rendering within a frame, same-origin - no rendering if origin mismatch, allow-from - allow from a specified location, allow all - non-standard, allow from any location
Content Security Policy
A computer security standard introduced to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context
X XSS Protection
A Cross-site scripting filter
How we can resolve these issues?
Regards,
Nek.
Hello Nektarios,
These are all headers which can be set on the server, and which once set will be sent along with each page request to the client.
Your webhost will be able to advise the best way to implement them in your particular situation. For example, if on Linux hosting then they are sometimes added to an .htaccess file or Apache configuration.
An HSTS policy requires that you have a valid SSL certificate for your website(s), and that you will only ever serve pages securely.
These are server/hosting issues, as opposed to WebSite X5 issues.
Kind regards,
Paul
Search the WebSite X5 Help Center
Or use cloudflare - its free and you also get CDN plus secure connection.