Skip to content

Better security mode (HTTPS and other features)

Jump to bottom
robiso edited this page Apr 15, 2018 · 6 revisions

Better security mode works on Apache servers / hosting packages (but there are some external instructions for tuning NGINX at the bottom of this page).

Important: read before turning this feature ON

  • Create a backup of your website (Settings -> Security) before making any changes.
  • Contact your host and make sure your website supports the included HTTPS://www redirect or activating this MAY BREAK YOUR WEBSITE. Also check you have a valid HTTPS certificate.
  • The HTTPS redirect feature works best if WonderCMS is installed at the root of your website (not in a subfolder).
  • To turn on better security mode, go to Settings -> Security and the click "ON" button.
  • It may take some time for changes to be affected.

If anything goes wrong and you cannot access your website normally after activating this feature: open the "htaccess" file on your server and replace all content with the default htaccess: https://github.com/robiso/wondercms/blob/master/.htaccess

What happens when you turn ON better security mode

Your server htaccess file will be overwritten with the below bolded features.

  • turns off directory listing // included in WonderCMS by default
  • turns off server signature // included by default
  • denies access to database.js // included by default
  • creates clean URLs (example.com/?page=home TO example.com/home) // included by default
  • always redirect to https://www on your website
  • a stricter cookie policy
  • additional XSS protection for when the user has it turned off by default (server side)
  • MIME type sniffing prevention
  • iframes to be allowed only from the same origin
  • a stricter referrer policy

The final overwritten (htaccess file) when turning this feature ON will look like:

Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
Header set Cache-Control "max-age=2628000, public"

Options -Indexes
ServerSignature Off
RewriteEngine on

RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.+)$ index.php?page=$1 [QSA,L]
RewriteRule database.js - [F]

Header always edit Set-Cookie (.*) "$1; HTTPOnly"
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Content-Type-Options: nosniff
Header always append X-Frame-Options SAMEORIGIN
Header set Referrer-Policy: strict-origin-when-cross-origin

NGINX

Check the official nginx website for instructions on enabling https.

Still need help?

Intro

Basic how to's

Themes

Plugins

Security

Features description

List of common errors

Clone this wiki locally