Hi everyone, I've installed ISPConfig 3.1, and added some websites. I did some nikto tests on my them, and it showed me some potential vulnerabilities. Bellow is an extract of the results (mix of different ports scans): + GET The Content-Encoding header is set to "deflate" this may mean that the server is vulnerable to the BREACH attack. + GET Uncommon header 'x-dns-prefetch-control' found, with contents: off + GET The anti-clickjacking X-Frame-Options header is not present. + GET The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + GET The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type I've created the .conf with the proper headers and enabled them. But it's not changing anything. Should I had the directives inside each website or is there a way to have it done automatically for all? Thanks for the help
I have used both ways, and they both work fine; it's a preference, but I'd probably use a global file for any headers I want the same across all sites, and custom apache directives for headers which vary per-site. What is the full path of your .conf file? If in conf-available directory, do you have a symlink for it in conf-enabled? Does it show up in 'apachectl -t -D DUMP_INCLUDES' output? If so, make sure you have restarted apache; if you have and it's still not working, what is the actual file contents?
Hi, thanks for the help! All the confs are in /etc/apache2/conf-available, and they're also simlinked in conf-enabled. Checked it with apachectl -t -D DUMP_INCLUDES, no problem there! Here is the files content: anticlickjacking.conf <IfModule mod_headers.c> Header always append X-Frame-Options SAMEORIGIN </IfModule> expect-CT.conf <IfModule mod_headers.c> Header set Expect-CT enforce,max-age=36000,report-uri="https://meta.domain.com/report-uri/expect-ct.php" </IfModule> HTTP-Strict-Transport-Security.conf <IfModule mod_headers.c> Header set Strict-Transport-Security: "max-age=15768000 ; includeSubDomains" </IfModule> X-Content-Type-Options.conf <IfModule mod_headers.c> Header set X-Content-Type-Options: nosniff </IfModule> X-XSS-Protection.conf <IfModule mod_headers.c> Header set X-XSS-Protection: "1; mode=block" </IfModule> Any ideas?
Those look good. I took this last one, created the same .conf filename, cut&pasted the file contents, ran "a2enconf X-XSS-Protection.conf; systemctl reload apache2" and verified that header showed up in a HTTP request. Is the headers module enabled? Maybe file permissions problem? check error.log when you restart apache and see if it says anything.
Hi, just checked, sorry for wasting your time! It's actually working on the websites, but not on IP. Nikto was giving some false positive! Thanks again!
