Joomla HTTP Headers or SCP HTTP Header Protection?

  • azurelinksc
  • Topic Author
  • Offline
  • Premium Member
  • Premium Member
More
3 weeks 2 days ago - 3 weeks 2 days ago #10029 by azurelinksc
Hola Jose,

I'm sure you are aware of Joomla 4's new System - HTTP Headers feature.. Have you had a chance to evaluate it? It appears that it conflicts with Securitycheck Pro's HTTP Header Protection features when both are enabled. In my case, I lost a fair amount of the interface elements in Joomla's Administrator interface. The general layout was there, but all of the background colors and some symbol images were missing, and since the various menu items are in white text, they aren't visible — unless you click and drag across them with a mouse.

When I checked the console, there were numerous Content Security Policy violation messages of this sort:

Either the 'unsafe-inline' keyword, a hash ... or a nonce is required to enable inline execution. ... 
Followed by these notes:
Note that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.
Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.

I ended up remaking the htaccess protection in SCP, disabling all of the parameters in the HTTP Headers Protection tab, saving, and clicking Protect. Doing so gave me back the full admin interface.

What I'm curious to know is in your opinion, which type of HTTP protection is better? SCP or Joomla's? And/or what your recommended settings for each might be so they work together?

Thanks.
Last edit: 3 weeks 2 days ago by azurelinksc.

Please Log in or Create an account to join the conversation.

More
3 weeks 2 days ago #10030 by Jose
Hi azurelinksc,

Yes, I'm aware of that Joomla core feature.

My recommendation is not to use Securitycheck Pro http headers feature and that plugin together, because they do basically the same and you can have conflicts. In terms of granurality, my plugin allows you to specify each resource allowed into each directive, but it requires more time and knowledge for your part to do it. The core plugin is easier and grants you a good level of security.

So the election is basically a matter of how much time you want to spend :)

Regards,
Jose

Please Log in or Create an account to join the conversation.

Time to create page: 0.123 seconds