Kryptronic Software Support Forum

You are viewing this forum as a guest. Login to an existing account, or create a new account, to reply to topics and to create new topics.

#1 06-24-2021 07:42:23

sdn
Member
From: UK
Registered: 05-29-2007
Posts: 868

Probely Security Scan Report

We just performed a security scan on our site using Probely free trail. It reported the following "Low" severity issues:

1    LOW   
Insecure referrer policy
https://ourdomain/


2    LOW   
Missing Content Security Policy header
https://ourdomain/


3    Low
Cookie without HttpOnly flag
https://ourdomain/index.php
[kprodfilter]


4    LOW   
Cookie without HttpOnly flag
https://ourdomain/index.php
[kprodsearch]


5    LOW   
Cookie without HttpOnly flag
https://ourdomain.co.uk/index.php
[kbreadcrumbs]


6    LOW   
JQuery library with known vulnerabilities
https://ourdomain/media/jquery/jquery.min.js

Are any of these going to affect K9 performance?

Can any be rectified?

Last edited by sdn (06-24-2021 07:43:58)


Simon

Offline

 

#2 06-24-2021 09:04:04

webmaster
Administrator
From: York, PA
Registered: 04-20-2001
Posts: 19715
Website

Re: Probely Security Scan Report

We'll look into the "Cookie without HttpOnly flag" issues.  When setting that flag, JS cannot read or write cookies.  I'm not sure that's something that we'd want to do.

9.0.4 has an updated jQuery library with it.  9.0.4 also includes a new header which should address the "Insecure referrer policy" issue.  Updating when 9.0.4 comes out will correct those.

For the "Missing Content Security Policy header" issue, we're now recommending adding this to your Apache config, if your scanner is picking up on it:

Code:

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

None of these affect performance.  These are not security issues, the scanner is warning about potential issues which could be corrected by using stricter config.  These are newer items which our new update addresses.


Nick Hendler

Offline

 

#3 06-24-2021 09:57:48

sdn
Member
From: UK
Registered: 05-29-2007
Posts: 868

Re: Probely Security Scan Report

OK thanks for the info.

We have that header in htaccess at present. If we add to Apache config instead, should it go in "Pre-Main Include" or "Pre VirtualHost Include"?


Simon

Offline

 

#4 06-25-2021 09:22:26

webmaster
Administrator
From: York, PA
Registered: 04-20-2001
Posts: 19715
Website

Re: Probely Security Scan Report

It needs to go in the virtual host SSL portion at the bottom after the majority of the SSL config:

Code:

<VirtualHost IPADDRESS:443></VirtualHost>

Nick Hendler

Offline

 

Board footer