Strict-Transport-Security

  • Resolved MrCarlLister

    (@mrcarllister)


    2 years, 8 months ago

    Hi

    I’m working through a pen test report and some file paths have been flagged as not returning a Strict-Transport-Security.

    An example;
    /wp-admin/load-styles.php

    Which is called on /wp-admin/plugins.php and the Response Headers do not return the Strict-Transport-Security rules as defined.

    However, I can see this in the response headers of the page itself (i.e. /wp-admin/plugins.php) which returns max-age=31536000; includeSubdomains; preload correctly.

    Is there something I can do to solve this? Or am I missing something?

Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Author Kevin Pirnie

    (@kevp75)

    2 years, 8 months ago

    What “pen test report”? What version of WordPress? What version of PHP? What version of the plugin?

    Did you enable “Apply to Admin”?

    • This reply was modified 2 years, 8 months ago by Kevin Pirnie.
    Thread Starter MrCarlLister

    (@mrcarllister)

    2 years, 8 months ago

    Sorry Kevin. Thanks for responding.

    • WP – 6.2.2
    • Plugin – 4.0.01
    • PHP – 8.0

    I’ve enabled Apply to Admin

    I can’t share the pen test report in full but here’s a snippet —-

    Issue

    There was no “Strict-Transport-Security” header in the server response.

    Request

    GET /wp-admin/load-styles.php?c=0&dir=ltr&load%5Bchunk_0%5D=dashicons,admin-bar,wp-pointer,common,forms,admin-menu,dashboard,list-tables,edit,revisions,media,themes,about,nav-menus,widgets&load%5Bchunk_1%5D=,site-icon,l10n,buttons,wp-auth-check,media-views&ver=6.2.2 HTTP/2
Host: mydomain.com
Cookie:XXXXXXXX
User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/css,*/*;q=0.1
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://mydomain.com/wp-admin/plugins.php
Sec-Fetch-Dest: style
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
Te: trailers

    Response

    HTTP/2 200 OK
Date: Tue, 19 Sep 2023 16:08:39 GMT
Content-Type: text/css; charset=UTF-8
Cf-Ray: 809316b18ee00716-LHR
Cf-Cache-Status: DYNAMIC
Cache-Control: public, max-age=31536000
Expires: Wed, 18 Sep 2024 16:08:39 GMT
Vary: Accept-Encoding
Ki-Cache-Type: None
Ki-Cf-Cache-Status: BYPASS
Ki-Edge: v=20.2.1;mv=2.2.2
X-Content-Type-Options: nosniff
X-Edge-Location-Klb: 1
X-Kinsta-Cache: BYPASS
X-Robots-Tag: noindex, nofollow, nosnippet, noarchive
X-Xss-Protection: 1; mode=block
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Oao6ctGd4dsoWWdWg0UvxSsa1WomrKBIHZghOmyXqjOY60SY7Br23w2RMlhfDWac0efUjJHJO6JmnjVmPhUo9aGYFZPDieRwKDXk1Fg1G92RU1MI9djs6Pa94dt2dBHwI3erKkUBa4nF6S29xk1qOZPpP4t%2B%2F4TE2HI%3D"}],"group":"cf-nel","max_age":604800}
Nel: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
Alt-Svc: h3=":443"; ma=86400

/*! This file is auto-generated */
@font-face{font-family:dashicons;src:url("../wp-includes/fonts/dashicons.eot?99ac726223c749443b642ce33df8b800");src:url("../wp-includes/fonts/dashicons.eot?99ac72622
...[SNIP]...
    Plugin Author Kevin Pirnie

    (@kevp75)

    2 years, 8 months ago

    Are you able to disable Kinsta’s caching? And CloudFlares caching? (they may actually be one in the same though…)

    It looks like there’s headers being set and reset by one of them (likely cloudflare)… I removed this one a number of versions ago because it is no longer a valid header…

    X-Xss-Protection: 1; mode=block
    Thread Starter MrCarlLister

    (@mrcarllister)

    2 years, 8 months ago

    We’re unable to disable CloudFlares caching. That said support informed me that they don’t have CloudFlare caching enabled on their staging environments.

    Manually setting headers with Nginx, doesn’t fix the above issue but does pull through and display on /wp-json/ – where the plugin settings do not. Not sure if this is related. See image where I’ve added the Strict-Transport-Security setting manually (this causes duplication where plugin settings are working)

    Plugin Author Kevin Pirnie

    (@kevp75)

    2 years, 8 months ago

    @mrcarllister

    Unfortunately, there is nothing that can get done about this. CloudFlare/Kinsta is re-setting the headers. Regardless of whether CloudFlare/Kinsta caching is enabled or not. (I asked about clearing it because the caching headers were shown in your previous post)

    The only thing that will help pull the plugins headers through is by turning off Kinsta/Cloudflare for the site.

    You can see my headers getting set in the screenshot below. This is only possible when I disable the proxy on CloudFlare… once it’s enabled, CloudFlare sets its own set of security headers, overriding the plugins.

    Thread Starter MrCarlLister

    (@mrcarllister)

    2 years, 8 months ago

    Thanks for responding @kevp75

    If we set up our own CloudFlare account and used that, would we be able to allow your rules to bypass (not manually set them in CloudFlare, but just let yours pull through)?

    We did manage to find a server-side solution with Kinsta, which included defining server-side security headers for file types

    Example;

    location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|woff2|mp4|mov|ttf|css|js|jpg|jpeg|gif|png|ico|webp|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
}

    Not sure if this is something you can use to create a work around?

    Plugin Author Kevin Pirnie

    (@kevp75)

    2 years, 8 months ago

    Hey @mrcarllister

    Yes, if you setup your own CloudFlare account you could turn off it’s proxy and let the plugin do it’s thing.

    I do appreciate the post with that… I had an instance with my day job where one of our company’s clients had a requirement like that. Unfortunately, that is outside the wordpress processing, so the plugin can’t tackle those either.

    Basically, so long as it’s 100% served by WordPress, the plugin will handle it… otherwise, you’d have to implement a server-side config like what you posted.

    In all honesty… I’d probably go with something like this instead tho… 😉

    # static asset security headers
location ~* \.(?:css|scss|sass|cur|js|jpg|jpeg|webp|gif|htc|ico|png|xml|otf|ttf|eot|woff|woff2|svg|svgx|pdf|xls|xlsx|doc|json|htm|html|mp3|mp4|mkv|ogg)$ {
	
	# account for subdir child site rewrites...
	rewrite ^/[_0-9a-zA-Z-]+(/wp-.*) $1 break;
	rewrite ^/[_0-9a-zA-Z-]+(/.*\.php)$ $1 break;
	
	# security headers
	add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
	add_header Access-Control-Allow-Methods "GET, HEAD";
	add_header Access-Control-Allow-Origin "*";
	add_header Expect-Ct "max-age=604800, enforce";
	add_header Content-Security-Policy "upgrade-insecure-requests;";
	add_header X-Content-Security-Policy "upgrade-insecure-requests;";
	
	# logging off

	access_log off;

	# uncomment this to cache the resource ;)
	# expires max;
	
}
Viewing 7 replies - 1 through 7 (of 7 total)

The topic ‘Strict-Transport-Security’ is closed to new replies.