Webmaster Scr Posted January 19 Posted January 19 I'm trying to set CSP Header rules to secure my website. It appears iframe embed settings in "Advanced Configuration" interfere with the rules I add in my .htaccess file. So I tried to select the second option: "Using a custom Content Security Policy (Advanced)". But I checked in core_sys_conf_settings and nor the clickjackprevention value, nor the csp_header are updated when I save my settings. So it seems to me database values are not read or written by this setting page or by the system. Moreover, even if I modify the values directly in database they are ignored. I tried the 3rd option: "Anywhere (Not Recommended)" and it doesn't work too. And the "Do not send header" for "Restrict Referrer Policy" is also ignored.
Jim M Posted January 19 Posted January 19 Looking at your community, I am seeing custom CSP rules. Not the ones setup in the ACP. You cannot run both 🙂 . You would need to choose to set it one or the other. The referrer policy is indeed being set though.
Webmaster Scr Posted January 19 Author Posted January 19 This is what I see, right now (Safari 17.1) : And, of course, when I tried to set them in IC, I comment the lines in my .htaccess before. The full rules I want to set are (using .htacces syntax): Header set X-Frame-Options "SAMEORIGIN" Header set Content-Security-Policy "frame-ancestors 'self'; object-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.stripe.com *.cloudflare.com; base-uri 'self';"
Jim M Posted January 19 Posted January 19 If your .htaccess rules are working, why are you setting this as well in the ACP?
Webmaster Scr Posted January 19 Author Posted January 19 Because according Google insight and https://observatory.mozilla.org/analyze/ I have syntax error in my rules when both are activated. And I can't deactivate IC rules. Does I t work for you? I mean, if you change something, save, go to another page and went back, do you see the new settings or always the ones I paste above?
Jim M Posted January 19 Posted January 19 I only see your custom settings. I do not see our settings.
Webmaster Scr Posted January 19 Author Posted January 19 Try to change something, please, and tell me if it updates or not. For example, try to save with "Anywhere (Not Recommended)" and "Do not send header", go to another page and come back.
Jim M Posted January 19 Posted January 19 You would need to check and ensure CRON is working as when saving I receive this: In order to enable this setting you must make the .../applications/core/interface/task/task.php file executable (i.e. chmod 0777). Thus, new changes won't be saving till that is addressed. Once I switch background tasks to run via Traffic, changes worked with issue
teraßyte Posted January 20 Posted January 20 (edited) 3 hours ago, Jim M said: You would need to check and ensure CRON is working as when saving I receive this: In order to enable this setting you must make the .../applications/core/interface/task/task.php file executable (i.e. chmod 0777). I've seen this problem several times. Making that error message more visible would certainly help. 👀 Maybe a big red error message at the top of the form like other pages do. Edited January 20 by teraßyte
Webmaster Scr Posted January 20 Author Posted January 20 13 hours ago, Jim M said: In order to enable this setting you must make the .../applications/core/interface/task/task.php file executable (i.e. chmod 0777). Yup, this was the problem. Thx. 👍🏼
Marc Posted January 22 Posted January 22 On 1/20/2024 at 12:00 AM, teraßyte said: I've seen this problem several times. Making that error message more visible would certainly help. 👀 Maybe a big red error message at the top of the form like other pages do. Added this as a bug teraßyte 1
Recommended Posts