GoFuckYourself.com - Adult Webmaster Forum - View Single Post - How to protect WP from XSS or cross site scripting

lordaRaG0n · 10-17-2016, 12:31 PM

If you're on an Apache 2 server try using the recommendations from securityheaders.io.
You should be able to implement the following without tweaks:
X-XSS-Protection
X-Frame-Options
X-Content-Type-Options

But for Content-Security-Policy you must whitelist in the headers every host/script that's allowed to use src= queries in your code. This is a bit tricky because you really need to review your code and you'll end up with a very long header if you got code from third parties and not internal, but it's doable.

The basic code without Content-Security-Policy can look like this in your .htaccess:

<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
Header set X-Frame-Options SAMEORIGIN
Header set X-Content-Type-Options nosniff
Header set Strict-Transport-Security "max-age=31536000; includeSubdomains"
</IfModule>

Also using mod_rewrite you can set additional restrictions on very specific strings which will help if you don't set a Content-Security-Policy:

RewriteEngine On
RewriteCond %{QUERY_STRING} base64_encode.*$.*$ [OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index_error.php [F,L]
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

You can replace index_error.php to whatever error page you wish the use.

Hope it helps :D

10-17-2016, 12:31 PM
lordaRaG0n Confirmed User Industry Role: Join Date: Nov 2013 Posts: 93	If you're on an Apache 2 server try using the recommendations from securityheaders.io. You should be able to implement the following without tweaks: X-XSS-Protection X-Frame-Options X-Content-Type-Options But for Content-Security-Policy you must whitelist in the headers every host/script that's allowed to use src= queries in your code. This is a bit tricky because you really need to review your code and you'll end up with a very long header if you got code from third parties and not internal, but it's doable. The basic code without Content-Security-Policy can look like this in your .htaccess: <IfModule mod_headers.c> Header set X-XSS-Protection "1; mode=block" Header set X-Frame-Options SAMEORIGIN Header set X-Content-Type-Options nosniff Header set Strict-Transport-Security "max-age=31536000; includeSubdomains" </IfModule> Also using mod_rewrite you can set additional restrictions on very specific strings which will help if you don't set a Content-Security-Policy: RewriteEngine On RewriteCond %{QUERY_STRING} base64_encode.\(.\) [OR] RewriteCond %{QUERY_STRING} (\<\|%3C).script.(\>\|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (\<\|%3C).iframe.(\>\|%3E) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=\|\[\|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=\|\[\|\%[0-9A-Z]{0,2}) RewriteRule ^(.)$ index_error.php [F,L] RewriteCond %{REQUEST_METHOD} ^(TRACE\|TRACK) RewriteRule . - [F] You can replace index_error.php to whatever error page you wish the use. Hope it helps :D __________________