You are viewing this forum as a guest. Login to an existing account, or create a new account, to reply to topics and to create new topics.
We just performed a security scan on our site using Probely free trail. It reported the following "Low" severity issues:
1 LOW
Insecure referrer policy
https://ourdomain/
2 LOW
Missing Content Security Policy header
https://ourdomain/
3 Low
Cookie without HttpOnly flag
https://ourdomain/index.php
[kprodfilter]
4 LOW
Cookie without HttpOnly flag
https://ourdomain/index.php
[kprodsearch]
5 LOW
Cookie without HttpOnly flag
https://ourdomain.co.uk/index.php
[kbreadcrumbs]
6 LOW
JQuery library with known vulnerabilities
https://ourdomain/media/jquery/jquery.min.js
Are any of these going to affect K9 performance?
Can any be rectified?
Last edited by sdn (06-24-2021 07:43:58)
Offline
We'll look into the "Cookie without HttpOnly flag" issues. When setting that flag, JS cannot read or write cookies. I'm not sure that's something that we'd want to do.
9.1.0 has an updated jQuery library with it. 9.1.0 also includes a new header which should address the "Insecure referrer policy" issue. Updating when 9.1.0 comes out will correct those.
For the "Missing Content Security Policy header" issue, we're now recommending adding this to your Apache config, if your scanner is picking up on it:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
None of these affect performance. These are not security issues, the scanner is warning about potential issues which could be corrected by using stricter config. These are newer items which our new update addresses.
Offline
OK thanks for the info.
We have that header in htaccess at present. If we add to Apache config instead, should it go in "Pre-Main Include" or "Pre VirtualHost Include"?
Offline