What are GiveWP requirements for security headers?

  • Resolved Loren Strand

    (@tasksdoneright)


    2 years, 6 months ago

    Hello Give community and support team,

    I am a long-time fan of GiveWP (and a paid user).

    For this email, I am volunteering to help a GiveWP customer using your FREE plan. Recently, the site owner moved the site to web hosting with more strict security. The web host uses the following security headers rules in the .htaccess file.

    Header set Strict-Transport-Security “max-age=31536000” env=HTTPS
    Header always set X-Frame-Options “deny”
    Header setifempty Referrer-Policy: same-origin
    Header set X-XSS-Protection “1; mode=block”
    Header set X-Permitted-Cross-Domain-Policies “none”
    Header set Referrer-Policy: “strict-origin”
    Header set X-Content-Type-Options: nosniff

    This raises a few questions that would be very helpful to understand about your plugin. I failed to find an article in your online documentation that answered these questions. Would you please help?

    – Are there any web server security header settings your plugin requires?

    – Do we need to configure any special values or settings to ensure your plugin works properly with these security headers activated?

    – If your plugin provides a service or interacts with infrastructure facilitated by you (the plugin vendor), what URLs, ASNs, IP Addresses does your plugin communicate with or serve up?

    The DNS the web host uses is Cloudflare.

    What firewall rules or Cloudflare/proxy rules must we enter, if any, to ensure your plugin operates properly with Cloudflare?

    Your answers are important because I will work with the web host to configure the settings to allow your plugin to work in this environment.

    Thank you in advance for your support.

    Kindly, Loren

    The page I need help with: [log in to see the link]

Viewing 1 replies (of 1 total)
  • Plugin Support Matheus Martins

    (@matheusfd)

    Hi, @tasksdoneright.

    ?Glad you reached out. I can clarify here.

    – Are there any web server security header settings your plugin requires?

    There isn’t anything specific to GiveWP in what relates to the headers. However, you must be aware that similar to e-commerces, we need to load third-party services. You must make sure that the information from the payment gateway is not blocked, for example.

    – Do we need to configure any special values or settings to ensure your plugin works properly with these security headers activated?

    Not that we are aware of.

    – If your plugin provides a service or interacts with infrastructure facilitated by you (the plugin vendor), what URLs, ASNs, IP Addresses does your plugin communicate with or serve up?

    It depends on the payment gateways you are using. If you use Stripe, for example, you need to make sure that their IP is not blocked, for example, on your server. All this kind of information you’ll find directly on the payment gateway documentation.

    – What firewall rules or Cloudflare/proxy rules must we enter, if any, to ensure your plugin operates properly with Cloudflare?`

    It also depends on the payment gateway you use. Make sure that the firewall/proxy does not block the connection with the payment gateway. We usually discourage the usage of cache or any modification tool from Cloudflare because it can also break GiveWP.

    ?Please let us know if you have further questions or need additional assistance!

Viewing 1 replies (of 1 total)
  • The topic ‘What are GiveWP requirements for security headers?’ is closed to new replies.