-
-
Notifications
You must be signed in to change notification settings - Fork 166
Better security mode (HTTPS and other features)
robiso edited this page Apr 15, 2018
·
6 revisions
Better security mode works on Apache servers / hosting packages (but there are some external instructions for tuning NGINX at the bottom of this page).
- Create a backup of your website (Settings -> Security) before making any changes.
- Contact your host and make sure your website supports the included HTTPS://www redirect or activating this MAY BREAK YOUR WEBSITE. Also check you have a valid HTTPS certificate.
- The HTTPS redirect feature works best if WonderCMS is installed at the root of your website (not in a subfolder).
- To turn on better security mode, go to Settings -> Security and the click "ON" button.
- It may take some time for changes to be affected.
If anything goes wrong and you cannot access your website normally after activating this feature: open the "htaccess" file on your server and replace all content with the default htaccess: https://github.com/robiso/wondercms/blob/master/.htaccess
Yuur server htaccess file will be overwritten with the below bolded features.
- turns off directory listing // included in WonderCMS by default
- turns off server signature // included by default
- denies access to database.js // included by default
- creates clean URLs (example.com/?page=home TO example.com/home) // included by default
- always redirect to
https://www
on your website - a stricter cookie policy
- additional XSS protection for when the user has it turned off by default (server side)
- MIME type sniffing prevention
- iframes to be allowed only from the same origin
- a stricter referrer policy
The final overwritten (htaccess file) when turning this feature ON will look like:
Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
Header set Cache-Control "max-age=2628000, public"
Options -Indexes
ServerSignature Off
RewriteEngine on
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.+)$ index.php?page=$1 [QSA,L]
RewriteRule database.js - [F]
Header always edit Set-Cookie (.*) "$1; HTTPOnly"
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Content-Type-Options: nosniff
Header always append X-Frame-Options SAMEORIGIN
Header set Referrer-Policy: strict-origin-when-cross-origin
Check the official nginx website for instructions on enabling https.
Still need help?
- Ask a question or make a request in the community.
- Official website
Intro
- Home
- Demo
- Download
- One step install
- Requirements
- 5 file structure
- List of hooks
- Included libraries
- Create theme in 8 easy steps
- Create a plugin
- Custom modules
- Translations
- All security features described
Basic how to's
- Backup all files
- Change default login URL
- Change default password
- Create custom page template
- Create new editable areas or editable blocks
- Edit 404 page
- Get data from database
- Set data to database
- Hide page from menu
- Caddy web server config
- IIS server config
- NGINX server config
- Login
- Recover login URL
- Reset password
- Restore backup
- Update
- PHP built in server
Themes
- Create theme in 8 easy steps
- Add favicon
- Theme tags
- Update theme to work with WonderCMS 2.0.0
- Update theme to work with WonderCMS 3.0.0
- Share your themes with Custom modules
Plugins
- Quick intro on creating plugins and List of hooks
- Share your plugin with simply with Custom modules
Security
- All security features described
- Add SRI tags to your theme libraries
- Always redirect to https and www
- Additional security configuration(s)
- Add SRI tags to your theme libraries
- Better security mode (HTTPS and other features)
Features description
- One click update
- Optional: functions.php file
- Default database.js
- Allowed extensions file types for uploads
- Login URL doesn't work - 404
- 500 internal server error
- Persistent "New WonderCMS update available" message
- URLs mailformed on Windows IIS
- Other errors