Forums

Unfortunately no one can be told what FluxBB is - you have to see it for yourself.

You are not logged in.

#1 2021-01-11 12:47:24

Visman
Member
From: Siberia
Registered: 2010-07-10
Posts: 1,476
Website

Add a little bit of security

By default, there are no security headers in FluxBB except X-Frame-Options.
This is how it looks here:
sec1.png
sec2.png

My example .htaccess file for apache server:

AddDefaultCharset UTF-8

<IfModule mod_autoindex.c>
    Options -Indexes
</IfModule>

<ifModule mod_headers.c>
  # Set security headers if missing.
  # (This Content-Security-Policy makes almost no sense (there are many inline scripts and styles on the forum, frames from media sites are allowed).)
  #
  ### Only works in Apache 2.4.10+ (Reason, condition  -> "expr = -z% {resp: ...}") ###
  #
  Header always set Content-Security-Policy "object-src 'none';frame-ancestors 'none';base-uri 'none';form-action 'self'" "expr=-z %{resp:Content-Security-Policy}"
  Header always set Feature-Policy "accelerometer 'none';ambient-light-sensor 'none';autoplay 'none';battery 'none';camera 'none';document-domain 'self';fullscreen 'self';geolocation 'none';gyroscope 'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none';sync-xhr 'self';usb 'none'" "expr=-z %{resp:Feature-Policy}"
  Header always set Referrer-Policy "origin-when-cross-origin" "expr=-z %{resp:Referrer-Policy}"
#  Header set Strict-Transport-Security "max-age=31536000" "expr=-z %{resp:Strict-Transport-Security}"
  Header always set X-Content-Type-Options "nosniff" "expr=-z %{resp:X-Content-Type-Options}"
  Header always set X-Frame-Options "DENY" "expr=-z %{resp:X-Frame-Options}"
  Header always set X-XSS-Protection "1; mode=block" "expr=-z %{resp:X-XSS-Protection}"
  Header always set Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),battery=(),camera=(),document-domain=(self),fullscreen=(self),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),sync-xhr=(self),usb=()" "expr=-z %{resp:Permissions-Policy}" 

  # Remove headers containing php information
  Header unset X-Powered-By
  Header always unset X-Powered-By
</ifModule>

# Hiding information about the system
ServerSignature Off
#ServerTokens ProductOnly # Use only in server config, do not use in .htaccess

Example nginx configuration:

#
# Example nginx configuration for fluxbb
# The engine is installed at the root of the site
#
server {
    listen 80;                                             # 80 port only http:
    server_name fluxbb-visman.local *.fluxbb-visman.local; # you need to set your values
    root "/www/fluxbb-visman/";                            # you need to set your values
    autoindex off;
    index index.html index.htm index.php;
    charset utf-8;
    server_tokens off;

    add_header Content-Security-Policy "object-src 'none';frame-ancestors 'none';base-uri 'none';form-action 'self'" always;
    add_header Feature-Policy "accelerometer 'none';ambient-light-sensor 'none';autoplay 'none';battery 'none';camera 'none';document-domain 'self';fullscreen 'self';geolocation 'none';gyroscope 'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none';sync-xhr 'self';usb 'none'" always;
    add_header Referrer-Policy "origin-when-cross-origin" always;
#   add_header Strict-Transport-Security "max-age=31536000" always;  # for https only
    add_header X-Content-Type-Options "nosniff" always;
#   add_header X-Frame-Options "DENY" always;                        # fluxbb set this header, in nginx it is difficult to combine headers from two sources
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),battery=(),camera=(),document-domain=(self),fullscreen=(self),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),sync-xhr=(self),usb=()" always;

    location = /favicon.ico {
        try_files $uri =404;

        access_log off;
        log_not_found off;

        expires 1w;
    }

    location = /robots.txt {
        try_files $uri =404;

        access_log off;
        log_not_found off;
    }

    location / {
        try_files $uri =404;
    }

    location ~ /\.ht {
        return 404;
    }

    #                                                  #
    # Only php scripts located in the root of the site #
    #                                                  #
    location ~ ^/(?:[^/\\\.]+\.php)?$ {
        # regex to split $uri to $fastcgi_script_name and $fastcgi_path
        fastcgi_split_path_info ^(.+\.php)(/.+)$;

        # Check that the PHP script exists before passing it
        try_files $fastcgi_script_name =404;

        # Bypass the fact that try_files resets $fastcgi_path_info
        # see: http://trac.nginx.org/nginx/ticket/321
        set $path_info $fastcgi_path_info;                 # always equal to an empty string due to location regex
        fastcgi_param PATH_INFO $path_info;

        fastcgi_index index.php;

        include fastcgi_params;

        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param HTTP_PROXY      "";

        fastcgi_hide_header X-Powered-By;

        fastcgi_pass php_upstream;                         # you need to set your values
        #fastcgi_pass unix:/run/php/php7.0-fpm.sock;
    }

    location ~ \.php$  {
        return 404;
    }
}

It is problematic to establish a normal Content-Security-Policy sad

Last edited by Visman (2021-02-06 08:15:02)

Offline

#2 2021-01-12 01:17:24

Elementair
Member
Registered: 2020-02-28
Posts: 42

Re: Add a little bit of security

That's great job. Thanks Visman.

You can replace Feature-Policy by the new Permissions-policy

 Header always set Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(), battery=(),camera=(),document-domain=(self),fullscreen=(self),geolocation =(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),sync-xhr=(self),usb=()" "expr=-z %{resp:Permissions-Policy}" 

What do you mean by "probably a ban on changes throught .htaccess" , ban from what ?

Offline

#3 2021-01-12 08:48:14

Visman
Member
From: Siberia
Registered: 2010-07-10
Posts: 1,476
Website

Re: Add a little bit of security

hm
Feature Policy 91% https://caniuse.com/?search=Feature-Policy
and

...Feature Policy is deprecated and has been replaced with Permissions Policy and Document Policy.

but
Permissions Policy  0% https://caniuse.com/permissions-policy
Document Policy 64.66% https://caniuse.com/document-policy

What do you mean by "probably a ban on changes throught .htaccess" , ban from what ?

For example, the server refuses to execute the command ServerTokens ProductOnly
result:

500 Internal Server Error
[Tue Jan 12 15:42:20.412926 2021] [core:alert] [pid 5624:tid 820] [client 127.0.0.1:50136] .../www/forkbb/.htaccess: ServerTokens not allowed here

P.S. Google Translate does not understand Russian well, from Russian to English, and vice versa smile

Last edited by Visman (2021-01-12 08:58:01)

Offline

#4 2021-01-12 12:43:52

DarkZero
Member
From: France
Registered: 2015-03-11
Posts: 20

Re: Add a little bit of security

If you update FluxBB to remove all inline code I take my hat off to you. I already try, it's complicated and the CSP is not good as expected, yet it's a really strong protection.

Offline

#5 2021-01-12 17:15:42

Visman
Member
From: Siberia
Registered: 2010-07-10
Posts: 1,476
Website

Re: Add a little bit of security

If make a lot of effort, then inline js can be removed.
There will be problems with styles from bb codes. Colors 16777216, each color to write with style in the css file is horror smile
Note: currently there is no visual js editor for a set of posts without inline js/style.
Example: Delete inline style for poll https://github.com/forkbb/forkbb/commit … 65e57752aa

Offline

#6 2021-01-13 16:14:29

Visman
Member
From: Siberia
Registered: 2010-07-10
Posts: 1,476
Website

Re: Add a little bit of security

The first post has been updated. Added example configuration for nginx.
Php files in site folders are not available for launch tongue

Offline

#7 2021-01-14 00:25:33

Elementair
Member
Registered: 2020-02-28
Posts: 42

Re: Add a little bit of security

You're (once again) right about Permissions Policy, it should be used but there's no support from browsers.

Ok, you mean it break the server :-)

From what I've read ServerTokens should only be use in httpd.conf not in .htaccess
see http://httpd.apache.org/docs/current/en … rvertokens

ServerSignature is OK in Apache .htaccess

Offline

#8 2021-01-14 03:02:51

Visman
Member
From: Siberia
Registered: 2010-07-10
Posts: 1,476
Website

Re: Add a little bit of security

@Elementair thanks for the info. I will correct the first post.

Offline

#9 2021-01-20 01:12:47

Elementair
Member
Registered: 2020-02-28
Posts: 42

Re: Add a little bit of security

For Apache Strict Transport Policy, had a warning for "unnecessary HSTS header over HTTP".

Need to add env=HTTPS, like that

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS

Offline

Board footer

Powered by FluxBB