Howto add special headers such as the X-Frame-Options header?

  • Hi,


    is it possible to configure special/extended headers, f.e. X-Frame-options, content security policies, etc in i-mscp ?


    Regards
    Bjoern

  • See also: https://github.com/i-MSCP/imsc…ache2_security_headers.pl


    Warning, the listener operate globally (for all sites...). You should improve it a bit if you want make the security headers apply only for specific sites.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • Hi,


    For my i-mscp 1.3.6 I have done the follwing:


    Downloaded the listener-version 1.3.x from GitHub (https://github.com/i-MSCP/imsc…ache2_security_headers.pl) and placed the file to /etc/imscp/listeners.d/40_apache2_security_headers.pl


    After this, I triggered the installer with "perl imscp-autoinstall -d" and choosed "automatic".
    The installer runs fine and completed successfully.


    But https://securityheaders.io still reports, that no security headers are active.


    Restart of apache and php-5fpm didn´t solve the problem.


  • Update:


    Have tried listener versions 1.4, 1.5 also... Nothing changed.
    Listener version 1.6 give the following error while starting the installer:


    Shell-Script
    1. [FATAL] iMSCP::EventManager::_init: "getBlocByRef" is not exported by the iMSCP::TemplateParser module
    2. "replaceBlocByRef" is not exported by the iMSCP::TemplateParser module
    3. Can't continue after import errors at /etc/imscp/listeners.d/40_apache2_security_headers.pl line 30.
    4. BEGIN failed--compilation aborted at /etc/imscp/listeners.d/40_apache2_security_headers.pl line 30, <$fh> line 370.
    5. Compilation failed in require at /root/Downloads/imscp-1.3.16/engine/PerlLib/iMSCP/EventManager.pm line 174, <$fh> line 370.
  • Update:


    I have added some lines to the 40_apache2_security_headers.pl

    Perl
    1. ...package Listener::Apache2::Security::Headers;use iMSCP::EventManager;use iMSCP::TemplateParser;use strict;use warnings;my $filename = '/tmp/listener.txt';open(my $fh, '>', $filename) or die "Could not open file '$filename' $!";print $fh "Listener started.\n";close $fh;iMSCP::EventManager->getInstance()->register( 'beforeHttpdBuildConf',...


    and restarted the installer.


    After this

    Shell-Script
    1. # cat /tmp/listener.txt
    2. Listener started.

    So I guess, that everything is fine with the installation itself.

  • Is this correct ?


    HTML
    1. # grep "X-Content-Type" /etc/* -R/etc/apache2/conf-enabled/security.conf:#Header set X-Content-Type-Options: "nosniff"/etc/apache2/conf-available/security.conf:#Header set X-Content-Type-Options: "nosniff"/etc/imscp/listeners.d/40_apache2_security_headers.pl: Header always set X-Content-Type-Options "nosniff"


  • You shoud avoid to make use of listeners from an i-MSCP serie other than the Serie that you use. If you use the 1.3.x Serie, you must use the listeners from the contrib directory of your i-MSCP version (archive), or those from the 1.3.x branch on github.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • Hi Laurent,


    as you can see, I have tried the 1.3.x version already and got stucked in issues.


    "Downloaded the listener-version 1.3.x from GitHub..."


    Because of the problems mentioned above, I tried the other versions also...