Chrome Blocked Site, phpinfo() and .htaccess

Website URL

I have hit a problem when chrome has decided that my site is unsafe, which I am trying to fix, but am hitting some issues.

First, I don’t seem to be able to check PHP Info using phpinfo(). PHP version is 8.2
Also, No matter what I put in my .htaccess file, this does not seem to actually turn on the relevant security modules.
How can I get the server to actually use the .htaccess file?

This is what I have in it currently…

# Force HTTPS
RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteCond %{HTTPS} off
RewriteCond %{HTTP:CF-Visitor} !{"scheme":"https"}
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# Security Headers
<IfModule mod_headers.c>
    # Content Security Policy
    Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net https://cdnjs.cloudflare.com https://code.jquery.com; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://cdnjs.cloudflare.com; font-src 'self' https://cdnjs.cloudflare.com data:; img-src 'self' data: https:; connect-src 'self';"
    
    # HTTP Strict Transport Security
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
    
    # X-Content-Type-Options
    Header set X-Content-Type-Options "nosniff"
    
    # X-Frame-Options
    Header set X-Frame-Options "SAMEORIGIN"
    
    # X-XSS-Protection
    Header set X-XSS-Protection "1; mode=block"
    
    # Referrer-Policy
    Header set Referrer-Policy "strict-origin-when-cross-origin"
    
    # Permissions-Policy
    Header set Permissions-Policy "camera=(), microphone=(), geolocation=()"
</IfModule>

Please read

You are barking up the wrong tree. It does not even relate to your first issue

6 Likes

Yes, I have read all that and following steps to try and ensure that site is secure.
Checking the site on HTTP Header Security Test - HTTP Observatory | MDN and https://securityheaders.com/ show various security things that can be improved, hence trying to use .htaccess to resolve.
But as I say, even with the .htaccess as original message these things are not resolved.

If you did read, then you would not be doing this

image

So read the post again

6 Likes

If we focus on one problem at a time. back to the .htaccess issue…

Using another host service, adding exactly the same .htaccess file fixes most of the vulnerabilities as listed on the security scan sites.
So why doesn’t the .htaccess on Infinityfree.com seem to have any effect?

Looks like it worked to me:

7 Likes

If you’re not seeing the effect of your .htaccess file, maybe clear your browswer cache, or try an incognito window.

Browser cache can be a right pain in the…

1 Like

Your .htaccess is functioning properly (as GR9 mentioned), but those security scan sites are unable to access your site and cannot mark it as ‘fixed’ due to this security system:

7 Likes

Got it. So would the premium option lift this limitation?

I didn’t think that this would be an issue, its just a basic web based application, but I can understand if that’s the issue.

Yes, premium-hosting does not have that security system installed.

6 Likes

Thank You. That sounds like the way to go. I appreciate your help.

How are you checking for these security headers exactly? Please note that any automated security header checkers may be blocked on our servers, so it’s possible the headers just work even if you can’t check them.


That said, these headers won’t help you with your unsafe site issue.

These warnings usually indicate that Google has classified your website as a “deceptive site”, i.e. trying to trick people into submitting (personal) information.

Enforcing a valid SSL certificate or setting a CSP header won’t help you there. After all, a phishing site that follows all the security best practices is still a phishing site.

6 Likes

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.