I have hit a problem when chrome has decided that my site is unsafe, which I am trying to fix, but am hitting some issues.
First, I don’t seem to be able to check PHP Info using phpinfo(). PHP version is 8.2
Also, No matter what I put in my .htaccess file, this does not seem to actually turn on the relevant security modules.
How can I get the server to actually use the .htaccess file?
This is what I have in it currently…
# Force HTTPS
RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteCond %{HTTPS} off
RewriteCond %{HTTP:CF-Visitor} !{"scheme":"https"}
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# Security Headers
<IfModule mod_headers.c>
# Content Security Policy
Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net https://cdnjs.cloudflare.com https://code.jquery.com; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://cdnjs.cloudflare.com; font-src 'self' https://cdnjs.cloudflare.com data:; img-src 'self' data: https:; connect-src 'self';"
# HTTP Strict Transport Security
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
# X-Content-Type-Options
Header set X-Content-Type-Options "nosniff"
# X-Frame-Options
Header set X-Frame-Options "SAMEORIGIN"
# X-XSS-Protection
Header set X-XSS-Protection "1; mode=block"
# Referrer-Policy
Header set Referrer-Policy "strict-origin-when-cross-origin"
# Permissions-Policy
Header set Permissions-Policy "camera=(), microphone=(), geolocation=()"
</IfModule>
Yes, I have read all that and following steps to try and ensure that site is secure.
Checking the site on HTTP Header Security Test - HTTP Observatory | MDN and https://securityheaders.com/ show various security things that can be improved, hence trying to use .htaccess to resolve.
But as I say, even with the .htaccess as original message these things are not resolved.
If we focus on one problem at a time. back to the .htaccess issue…
Using another host service, adding exactly the same .htaccess file fixes most of the vulnerabilities as listed on the security scan sites.
So why doesn’t the .htaccess on Infinityfree.com seem to have any effect?
Your .htaccess is functioning properly (as GR9 mentioned), but those security scan sites are unable to access your site and cannot mark it as ‘fixed’ due to this security system:
How are you checking for these security headers exactly? Please note that any automated security header checkers may be blocked on our servers, so it’s possible the headers just work even if you can’t check them.
That said, these headers won’t help you with your unsafe site issue.
These warnings usually indicate that Google has classified your website as a “deceptive site”, i.e. trying to trick people into submitting (personal) information.
Enforcing a valid SSL certificate or setting a CSP header won’t help you there. After all, a phishing site that follows all the security best practices is still a phishing site.