Better security mode (HTTPS and other features)

robiso edited this page May 1, 2018 · 4 revisions

Better security mode works on Apache servers / hosting packages (but there are some external instructions for tuning NGINX at the bottom of this page).

Important: read before turning this feature ON

  • Create a backup of your website (Settings -> Security) before making any changes.
  • The HTTPS redirect feature works best if WonderCMS is installed at the root of your website (not in a subfolder).
  • Contact your host and make sure your website supports the included HTTPS://www redirect or activating this MAY BREAK YOUR WEBSITE. Also check you have a valid HTTPS certificate.
  • To turn on better security mode, go to Settings -> Security and the click "ON" button.
  • It may take some time for changes take effect.

If anything goes wrong and you cannot access your website normally after activating this feature: open the "htaccess" file on your server and replace all content with the default htaccess: https://github.com/robiso/wondercms/blob/master/.htaccess

What happens when you turn ON better security mode

Your server htaccess file will be overwritten with the below bolded features.

  • turns off directory listing // included in WonderCMS by default
  • turns off server signature // included by default
  • denies access to database.js // included by default
  • creates clean URLs (example.com/?page=home TO example.com/home) // included by default
  • always redirect to https://www on your website
  • a stricter cookie policy
  • additional XSS protection for when the user has it turned off by default (server side)
  • MIME type sniffing prevention
  • iframes to be allowed only from the same origin
  • a stricter referrer policy

The final overwritten (htaccess file) when turning this feature ON will look like:

Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
Header set Cache-Control "max-age=2628000, public"

Options -Indexes
ServerSignature Off
RewriteEngine on

RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.+)$ index.php?page=$1 [QSA,L]
RewriteRule database.js - [F]

Header always edit Set-Cookie (.*) "$1; HTTPOnly"
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Content-Type-Options: nosniff
Header always append X-Frame-Options SAMEORIGIN
Header set Referrer-Policy: strict-origin-when-cross-origin

NGINX

Check the official nginx website for instructions on enabling https.

Clone this wiki locally
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.