Vulnerable security header?

  • Resolved dav74

    (@dav74)


    1 year, 4 months ago

    Hi there, I had someone look at my security headers. There were a couple of potential issues he told me about, but I am unsure whether to believe him or you the plugin devloper. The line in question was:

    Header set Access-Control-Allow-Methods "GET,PUT,POST,DELETE"

    I was told that the following:

    You have enabled 2 dangerous methods i.e. PUT (Anyone can upload any thing on your website means hackers can hack your website)
    DELETE (Any one can submit a DELETE request on your website to delete any file on your website)

    Can you please guide me on that remark. Should I remove the PUT and DELETE requests?

    Finally I was also told this:

    Access-Control-Allow-Origin: You have set null origin which is not good as it can be bypassed. Remove this unused header as it poses a security risk.

Viewing 4 replies - 1 through 4 (of 4 total)

  • I am also waiting for the answer to the questions above too. Most people vote for 5 starts because they get A+ on securityheaders.com. But Access-Control-Allow-Origin Null seems not a good setting.

    Thread Starter dav74

    (@dav74)

    Hi @catuyen

    Yes I totally agree. An A+ on securityheaders.com does not necessarily mean there are no issues. It would be nice to get a reply from the plugin author. I actually removed the PUT and DELETE request. Anyhow, hopfully next week we get an answer ??

    Plugin Author Andrea Ferro

    (@unicorn03)

    Hi @dav74 and @catuyen, thank you for raising these security concerns about our plugin Headers Security Advanced & HSTS WP. I would like to inform you that we have rewritten most of the code in the most recent version of the plugin, optimizing it to improve overall security.

    We are working on a new setting that will allow users to further customize security settings. This will give you more control over the configurations and allow you to tailor them to your specific needs.

    I would like to let you know that with tonight’s update, we have decided to remove the Access-Control-Allow-Origin header to address the potential security risks associated with it. We take the security of our users seriously and feel that this is an important decision to mitigate potential problems.

    We decided to remove the PUT and DELETE methods from the default configuration of the Access-Control-Allow-Methods header.

    However, we understand that each site is unique and may have specific needs. We are working on providing an advanced security settings customization option in the next plugin update.

    We continue to work to provide you with a secure and reliable plugin. We appreciate your feedback and are always open to further suggestions to improve the security of our plugin. Thank you again for contacting us.

    Thread Starter dav74

    (@dav74)

    Hi @unicorn03

    That’s great news and we look forward to you rollowing out the update tonight.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Vulnerable security header?’ is closed to new replies.