How to solve these security problems?

  • hack3rcon

    (@hack3rcon)


    4 years, 9 months ago

    Hello,
    I scanned my website with the Acunetix tool and below vulnerabilities found:

    1- Cookie(s) without HttpOnly flag set
    2- Disable OPTIONS Method
    3- CORS (Cross-Origin Resource Sharing) origin validation failure

    Image

    To solve these problems, I added below lines to my Virtual Host configuration file and restarted the Apache service:

    Header always edit Set-Cookie (.*) "$1;HttpOnly;Secure;samesite=lax" 

<Location />
    <LimitExcept GET POST>
        order deny,allow
        deny from all
    </LimitExcept>
</Location>

Header set Access-Control-Allow-Credentials "true"

    But problems existed.
    I added below lines to the .htaccess file too:

    Header always edit Set-Cookie (.*) "$1; HttpOnly"
Header always edit Set-Cookie (.*) "$1; Secure"

    How to solve them?

    Thank you.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Topher

    (@topher1kenobe)

    4 years, 9 months ago

    Check to make sure that the problem is in Apache. It’s VERY common to run nginx in front of Apache as a proxy server because it’s so fast. nginx may be breaking the cookie setting.

    Try this, go here: https://reqbin.com/curl

    And put in the left column something like

    curl -I https://google.com

    exchanging google for your site. Then run it, and on the right choose the Headers tab. It’ll tell you all kinds of things about the transaction including the web server that actually sent the data, as well as a lots of cookie info. You might learn good things there.

    Thread Starter hack3rcon

    (@hack3rcon)

    4 years, 9 months ago

    Thank you.
    I did:

    Date: Tue, 31 Aug 2021 12:12:28 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Referrer-Policy: same-origin
Feature-Policy: microphone 'none'; payment 'none'; sync-xhr 'self' https://ITJUSTANEXAMPLE.COM
X-XSS-Protection: 1; mode=block
Permissions-Policy: geolocation=();midi=();notifications=();push=();sync-xhr=();microphone=();camera=();magnetometer=();gyroscope=();speaker=(self);vibrate=();fullscreen=(self);payment=();
Vary: Accept-Encoding
Last-Modified: Thu, 18 Feb 2021 14:15:14 GMT
ETag: "87ac-5bb9cf6df5853"
Accept-Ranges: bytes
Content-Length: 34732
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Referrer-Policy: no-referrer-when-downgrade
Content-Type: text/html; charset=UTF-8
Content-Encoding: gzip

    In your opinion, I must launch a reverse proxy server to solve those vulnerabilities?
    I think my WordPress has some problems!!!

    Thread Starter hack3rcon

    (@hack3rcon)

    4 years, 8 months ago

    Hello,
    Any idea?

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘How to solve these security problems?’ is closed to new replies.