Problem with recommendations (X-XSS Protection & more)

My apologies, I have forgotten to mention I have already tried following the solution suggested here by yorman, right at the end of the topic, but unfortunately it didn’t work. I still see the first 2 recommendations, as well as the third (which was not included in the code suggested by yorman, so that’s okay).

I am using the free version of your plugin, and my hosting is GoDaddy. My server is running Apache as well as PHP 7.3.

Thank you!

By default, HSTS is enabled on all Linux-based managed hosting accounts. You do not need to take any additional steps to use HSTS with your site.

By default, HSTS is not enabled on Windows hosting accounts.

You do not have to add anything concerning Strict-Transport-Security to your .htaccess file if your site is on a Linux-based host.

Further info here: https://www.a2hosting.ca/kb/security/ssl/enabling-http-strict-transport-security-hsts-for-your-site

In your .htaccess file, insert this at the top of the file.

<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
Header always append X-Frame-Options SAMEORIGIN
Header set X-Content-Type-Options: "nosniff"
</IfModule>

I have this in the .htaccess file of every site I build on a Linux-based system..

• This reply was modified 4 years, 10 months ago by neotechnomad. Reason: spelling

Hi neotechnomad,

Thank you for your reply. I have put the exact same code you suggest in my .htaccess file (I even moved it to the top, as you suggested), but this didn’t prevent the ‘Recommendations’ from showing up.
I had also tried the solution provided at the bottom of the thread I linked (please see my second post here), but to no avail.

The ‘Recommendations’ I’m talking about are these.

Having already put the code you suggested in my .htaccess and being on a Linux server of course, I don’t get why they don’t recognize the code.

My website has been online for a few months now, this is its link.

Thank you,
Elena

• This reply was modified 4 years, 10 months ago by misselenat.

The Strict-Transport-Security Recommendation will not disappear, but the others should.
If i’m not mistaken, the plugin scans once or twice a day so, give it a day and see if the others disappear.

I’m a server admin also, and even though I know that the Strict-Transport-Security is enabled, I still have the Recommendation on all the sites I admin. I believe it is an issue with the plugin.

Let me know if the other Recommendations do not vanish after a day or two.

Sure, I will keep you posted on this and let you know how it goes in a couple of days.

Thank you very much for your help ??

MissElenaT…

In rereading your original post, I believe I see why the Strict-Transport-Security did not work and broke your site.

This is how it is to be set in the .htaccess file:

<ifModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
Header always append X-Frame-Options SAMEORIGIN
Header set X-Content-Type-Options: "nosniff"
Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
</ifModule>

Notice that before the “Strict-Transport-Security” there is “Header set”, which means just what it says – set in the header.
So set this at the top of your .htaccess file and then test your site here: https://www.ssllabs.com/ssltest/index.html
It takes a few minutes but, when it is done, scroll down almost to the bottom and look for “Strict Transport Security (HSTS)”. It should say “Yes”.

Another addition is this:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>

What this does is to force any links to your site which are still “HTTP” to go to “HTTPS”. It is a permanent redirect from HTTP to HTTPS.

I’m a bit afraid to break the site again, as I care about Google rankings and wouldn’t want it to crawl the site while it’s not available (with the luck I have, it’s very possible).

I don’t care much about the “Strict-Transport Security”, but I would definitely want to fix the other 2 recommendations. Let’s see what happens in the next couple of days, if the problem is not solved, I’ll try other solutions.

As for the HTTP redirected to HTTPS, I have already set my site to do that (without using the above code, though). Ideally I’d love to limit the amount of code I add to my .htaccess and to my WordPress core files (I’m self-taught at this and I’m also the only person who manages the site, so I have to make sure I always know what each string of code stands for, in case there are issues in the future).

Thank you again so very much for the information you have shared ??

I understand your reluctance in altering files.

These should not break your site as I have them on other WordPress sites I admin.
The issue with the first time you inserted the Strict-Transport-Security was that you may not have put in the “Header set” which must to go before the Strict-Transport-Security and you may not have put it within the IfModule tags.

I’ll give it a try now and let you know if it says ‘Yes’ when tested ??

I already got an A when I tested earlier without the Strict-Transport-Security setting on, but apparently I did that just in time to see the top mark – the result says: “This server supports TLS 1.1. Grade will be capped to B from January 2020”. I guess I’ll have to see into that as well, although I have very basic SSL needs for my site.

So I’m changing the .htaccess top lines to what you suggested and running the test again.
In a few minutes we’ll have a response, at least for the Strict-Transport-Security issue.

Thank you again ??

Success! It says A+ now and the green line confirms Strict-Transport-Security is active!

I scrolled and verified it says “yes” at the bottom, too.

Thank you so much for your help!!!

Now I hope the first 2 Recommendations will go away in the next few days. As for the third one, since you still see it on the websites you manage, I guess it’s really an issue with the plugin. Have you tried reporting it, or do you feel like it’s not worth it?

• This reply was modified 4 years, 10 months ago by misselenat.

Congrats!

I’m not sure that it is an issue with the plugin. Possibly more the scan itself and the timeframe between scans. A day or two should tell.

And actually, your post prompted me to investigate further and I have added an extention to the Strict line, as below.
As a server admin, I prefer to modify the Apache configuration file, but most of the sites I admin are not on the VPS I admin, so I default to the htaccess.
The htaccess is slower, but effective.

Notice how the Strict line is extended. This increases the time limit, adds SubDomains, and allows preload. This is the version that always gets me an A+.
(On the test, it also eliminates the “blue bar”)

Another test I do before uploading to a site, is to test the syntax of the htaccess here: https://www.htaccesscheck.com/
It gives you and “OK” if the syntax is correct and there are no “spelling” errors.

<ifModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
Header always append X-Frame-Options SAMEORIGIN
Header set X-Content-Type-Options: "nosniff"
Header set Strict-Transport-Security "max-age=63072000; preload; includeSubdomains" env=HTTPS
</ifModule>

The “X” Recommendations should vanish with the plugin’s next scan (hopefully).
Best to wait a day or two.

Wow! Thank you so much for taking the time to explain this to me, including the changes you have recently made. I have updated my .htaccess accordingly and, although the “blue bar” hasn’t disappeared in the new test (screenshot here), I’m sure this version of the code is better and will be useful for other users having problems similar to mine, too.

Thank you also for mentioning the .htaccess syntax test site, I gave it a try right away and it said everything was OK. I will make sure to use it everytime I make changes to said file, for extra peace of mind ??

I will keep checking the Recommendations section and let you know if anything changes.

Again, thank you so much for everything!

You are welcome. ??

I ran the test on your site just to see. (hope you don’t mind)
Not to worry about the blue bar. It’s just stating that the browser supports SNI – ‘Server Name Indication’. (read a short post on SNI here: What is Server Name Indication (SNI)?)

The main item is that the server still supports TLS 1.1 Protocols. (see the third box: “Configuration”)
Not really an issue as the techs should be upgrading to TLS 1.2; but if you test after the end of January, you may get a ‘B’. This is because TLS 1.0 and TLS 1.1 protocols will be removed from browsers at the beginning of 2020. (see the second link below)

The important parts are good, such as Strict Transport Security (HSTS), Forward Secrecy, Downgrade Attack Prevention, and that it is Trusted. These you should be concerned about if they change.

If I were you, I would contact your host concerning the upgrading from TLS 1.1 to TLS 1.2 and when they will be implementing it. You could attach a screenshot of the Configuration Section, noting that it comes from the Qualys SSL Labs Server Test and include this link of theirs: SSL Labs Grade Change for TLS 1.0 and TLS 1.1 Protocols

Love your photos, by the way. I am not a photographer by any means. I had problems using a Kodak Instamatic ??

I don’t mind at all! I wouldn’t have known what to do without your help ??

I contacted GoDaddy upon reading your message, but it looks like my server already supports TLS 1.2. The PHP Info seems to confirm it, and I see it shows in the Qualys SSL Labs Server Test, too (I’m honestly not sure it was there last night, maybe it wasn’t and Godaddy fixed it when I contacted them?): please see here.

Anyway, I still see the orange bar, so I was wondering if this is just a general information because my server still supports TLS 1.1 (although it also supports 1.2), or if I should take this notice like a friendly reminder that TLS 1.0 and 1.1. should not be supported starting February 2020, as in “this may be a security threat”.
Could you please help me understand if my server should NOT support older TLS versions by the end of January, or if it’s okay if it does, provided it also supports TLS 1.2 (which it does)? I hope it makes sense! ??

I will keep an eye on the relevant security sections you have highlighted, making sure they don’t change. Thank you for instructing me!

Also, thank you so much for appreciating my photography ??
I used to shoot with a film camera when I was a child (my camera wasn’t remotely as cool as the Kodak Instamatic, of course), but a good 99% of my photoalbum were pics of my cats. When I started taking photographs as a “serious” hobby the digital era had already begun, so I guess it was easier for me to learn through trial & error, without having to spend a fortune “developing my mistakes”! ??

The differernce is that the default security protocol the server uses is TLS 1.2, though they still have TLS 1.1 supported for backwards compatibility, which is is never used by any current up-to-date browser.

Some hosts (…like Godaddy) keep it more out of laziness and not wanting to deal with clients who still use out-dated OS’s like Win98 or out-dated browsers like I.E 6 or 7.. […you can probably hear me shudder from there ?? ]
Yes… people still use these. I have a friend whose dad still has a computer with Win98 and I.E.6 to connect to the Net. […running away screaming ?? ]

My host does not support TLS 1.1. It is way past time to eliminate support for SSL 1/2/3 and TLS 1.0 and 1.1.

Your certificate, though it has compatiblity for TLS 1.1, in your case it will never use it if you use the latest versions of Firefox, GChrome, Safari or other less popular browsers like Opera as they do not support TLS 1.0 or 1.1.
The “orange bar” merely indicates the support, but not the use. The default use would be for TLS 1.2. The bar will vanish when your host removes support.

And just FYI …there is a TLS 1.3 that was finalized/published in August 2018. It will slowly make its way across the net. Companies such as CloudFlare already support it and make it available. Firefox, GChrome and Safari all use 1.3 as default and have backward compatibility for 1.2; but not 1.1 and older. > Mozilla disables TLS 1.0 and 1.1

Though a bit technical, this is a good article on TLS 1.3: An Overview of TLS 1.3 – Faster and More Secure @ Kinsta.

With Firefox, you can view what TLS encryption is being used for whatever site you are on (…if it is HTTPS) by clicking on the padlock in the address bar. A pop-up window appears and click the “>” on the right. Click on “More Information” and look at “Technical Details”. The first line is “Connection Encrypted”.

www.ads-software.com uses 1.3. Your site uses 1.2, as do most of the hosts of the sites I admin.

So… in a nutshell, you are protected. Not to worry. Happy internetting! ??

• This reply was modified 4 years, 10 months ago by neotechnomad. Reason: spelling