htaccess passing with Security Headers

[kdmonk1]

I wanted to pass this on to someone that may need this. I am currently working off of Prestashop 1.7.8.0 / CPanel / Apache 4 / php7.3. If you use this htaccess code your security headers will pass with an "A" grade. There is one piece I am having trouble with and that is: 

Content-Security-Policy - I have this line commented out. I am still working on this one. My Recaptcha on the create login and contact us pages stopped working because of this line. Has something to do with CSP and inline code from Google. If anyone can figure this out please respond to the thread or if anyone has any updates to this htaccess please respond to the thread. Thanks!

 

Note: Be sure to change all the urls "yourwebsiteurl.com" to your website url. If like to hear back if it works for anyone.

URL to scan your headers: https://securityheaders.com/

 

# ~~start~~ Do not remove this comment, Prestashop will keep automatically the code outside this comment when .htaccess will be generated again
# .htaccess automaticaly generated by PrestaShop e-commerce open-source solution
# https://www.prestashop.com - https://www.prestashop.com/forums

<IfModule mod_rewrite.c>
<IfModule mod_env.c>
SetEnv HTTP_MOD_REWRITE On
</IfModule>

RewriteEngine on


#Domain: yourwebsiteurl.com
RewriteRule . - [E=REWRITEBASE:/]
RewriteRule ^api(?:/(.*))?$ %{ENV:REWRITEBASE}webservice/dispatcher.php?url=$1 [QSA,L]

# Images
RewriteCond %{HTTP_HOST} ^yourwebsiteurl.com$
RewriteRule ^([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ %{ENV:REWRITEBASE}img/p/$1/$1$2$3.jpg [L]
RewriteCond %{HTTP_HOST} ^yourwebsiteurl.com$
RewriteRule ^([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ %{ENV:REWRITEBASE}img/p/$1/$2/$1$2$3$4.jpg [L]
RewriteCond %{HTTP_HOST} ^yourwebsiteurl.com$
RewriteRule ^([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ %{ENV:REWRITEBASE}img/p/$1/$2/$3/$1$2$3$4$5.jpg [L]
RewriteCond %{HTTP_HOST} ^yourwebsiteurl.com$
RewriteRule ^([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ %{ENV:REWRITEBASE}img/p/$1/$2/$3/$4/$1$2$3$4$5$6.jpg [L]
RewriteCond %{HTTP_HOST} ^yourwebsiteurl.com$
RewriteRule ^([0-9])([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ %{ENV:REWRITEBASE}img/p/$1/$2/$3/$4/$5/$1$2$3$4$5$6$7.jpg [L]
RewriteCond %{HTTP_HOST} ^yourwebsiteurl.com$
RewriteRule ^([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ %{ENV:REWRITEBASE}img/p/$1/$2/$3/$4/$5/$6/$1$2$3$4$5$6$7$8.jpg [L]
RewriteCond %{HTTP_HOST} ^yourwebsiteurl.com$
RewriteRule ^([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ %{ENV:REWRITEBASE}img/p/$1/$2/$3/$4/$5/$6/$7/$1$2$3$4$5$6$7$8$9.jpg [L]
RewriteCond %{HTTP_HOST} ^yourwebsiteurl.com$
RewriteRule ^c/([0-9]+)(\-[\.*_a-zA-Z0-9-]*)(-[0-9]+)?/.+\.jpg$ %{ENV:REWRITEBASE}img/c/$1$2$3.jpg [L]
RewriteCond %{HTTP_HOST} ^yourwebsiteurl.com$
RewriteRule ^c/([a-zA-Z_-]+)(-[0-9]+)?/.+\.jpg$ %{ENV:REWRITEBASE}img/c/$1$2.jpg [L]
# AlphaImageLoader for IE and fancybox
RewriteRule ^images_ie/?([^/]+)\.(jpe?g|png|gif)$ js/jquery/plugins/fancybox/images/$1.$2 [L]

# Dispatcher
RewriteCond %{REQUEST_FILENAME} -s [OR]
RewriteCond %{REQUEST_FILENAME} -l [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^.*$ - [NC,L]
RewriteRule ^.*$ %{ENV:REWRITEBASE}index.php [NC,L]
</IfModule>

# Security Headers
<IfModule mod_headers.c>
   Header set X-Content-Type-Options "nosniff"
   Header set X-XSS-Protection "1; mode=block"
   Header set X-Frame-Options "SAMEORIGIN"
   Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
   Header always set Referrer-Policy "strict-origin-when-cross-origin"
   Header set Expect-CT "enforce, max-age=604800"
   #Header set Content-Security-Policy "default-src script-src script-src 'nonce-uG2bsk6JIH923nsvp01n24KE' 'unsafe-inline' 'unsafe-eval' 'self';"
   Header always set Permissions-Policy "accelerometer=(self); ambient-light-sensor=(self); autoplay=(self); camera=(self); encrypted-media=(self); fullscreen=(self); geolocation=(self); gyroscope=(self); magnetometer=(self); microphone=(self); midi=(self); payment=(self); picture-in-picture=(*); speaker=(self); sync-xhr=(*); usb=(self); vr=(self);"
   Header always edit Set-Cookie (.*) "$1; HTTPOnly; Secure"
   Header set Connection keep-alive
</IfModule>

AddType application/vnd.ms-fontobject .eot
AddType font/ttf .ttf
AddType font/otf .otf
AddType application/font-woff .woff
AddType font/woff2 .woff2
<IfModule mod_headers.c>
	<FilesMatch "\.(ttf|ttc|otf|eot|woff|woff2|svg)$">
		Header set Access-Control-Allow-Origin "*"
	</FilesMatch>

    <FilesMatch "\.pdf$">
      Header set Content-Disposition "Attachment"
    </FilesMatch>
</IfModule>

<Files composer.lock>
    # Apache 2.2
    <IfModule !mod_authz_core.c>
        Order deny,allow
        Deny from all
    </IfModule>

    # Apache 2.4
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
</Files>
<IfModule mod_expires.c>
	#Activate
    ExpiresActive On
    #Activate
	ExpiresByType image/gif "access plus 1 month"
	ExpiresByType image/jpeg "access plus 1 month"
    ExpiresByType image/jpg "access plus 1 month"
	ExpiresByType image/png "access plus 1 month"
    ExpiresByType image/svg+xml "access plus 1 month"
    ExpiresByType image/x-icon "access plus 1 year"
	ExpiresByType image/svg+xml "access plus 1 year"
	ExpiresByType image/vnd.microsoft.icon "access plus 1 year"
	ExpiresByType text/css "access plus 1 week"
	ExpiresByType text/javascript "access plus 1 week"
	ExpiresByType application/javascript "access plus 1 week"
	ExpiresByType application/x-javascript "access plus 1 week"
	ExpiresByType application/font-woff "access plus 1 year"
	ExpiresByType application/x-font-woff "access plus 1 year"
    ExpiresByType application/x-font-ttf "access plus 1 year"
	ExpiresByType application/x-font-otf "access plus 1 year
	ExpiresByType application/vnd.ms-fontobject "access plus 1 year"
    ExpiresByType font/woff2 "access plus 1 year"
	ExpiresByType font/opentype "access plus 1 year"
	ExpiresByType font/ttf "access plus 1 year"
	ExpiresByType font/otf "access plus 1 year"
</IfModule>

<IfModule mod_headers.c>
    Header unset Etag
</IfModule>
FileETag none
<IfModule mod_deflate.c>
<IfModule mod_setenvif.c>
<IfModule mod_headers.c>
SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding
RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding
</IfModule>
</IfModule>
    <IfModule mod_filter.c>
        AddOutputFilterByType DEFLATE text/html text/css text/javascript application/javascript application/x-javascript font/ttf application/x-font-ttf font/otf application/x-font-otf font/opentype image/svg+xml
    </IfModule>
</IfModule>

<IfModule deflate_module>
  AddOutputFilterByType DEFLATE text/plain
  AddOutputFilterByType DEFLATE text/css
  AddOutputFilterByType DEFLATE application/json application/x-javascript  text/javascript application/javascript text/js
  AddOutputFilterByType DEFLATE text/xml application/xml application/xml+rss text/javascript application/javascript
  AddOutputFilterByType DEFLATE image/svg+xml
</IfModule>

#If rewrite mod isn't enabled
ErrorDocument 404 /index.php?controller=404

# ~~end~~ Do not remove this comment, Prestashop will keep automatically the code outside this comment when .htaccess will be generated again

# BEGIN cPanel-generated php ini directives, do not edit
# Manual editing of this file may result in unexpected behavior.
# To make changes to this file, use the cPanel MultiPHP INI Editor (Home >> Software >> MultiPHP INI Editor)
# For more information, read our documentation (https://go.cpanel.net/EA4ModifyINI)
<IfModule php7_module>
   php_flag display_errors Off
   php_value max_execution_time 300
   php_value max_input_time 3000
   php_value max_input_vars 10000
   php_value memory_limit 1024M
   php_value post_max_size 50M
   php_value session.gc_maxlifetime 1440
   php_value session.save_path "/tmp"
   php_value upload_max_filesize 50M
   php_flag zlib.output_compression Off
</IfModule>
<IfModule lsapi_module>
   php_flag display_errors Off
   php_value max_execution_time 300
   php_value max_input_time 3000
   php_value max_input_vars 10000
   php_value memory_limit 1024M
   php_value post_max_size 50M
   php_value session.gc_maxlifetime 1440
   php_value session.save_path "/tmp"
   php_value upload_max_filesize 50M
   php_flag zlib.output_compression Off
</IfModule>
# END cPanel-generated php ini directives, do not edit

# php -- BEGIN cPanel-generated handler, do not edit
# Set the “ea-php73” package as the default “PHP” programming language.
<IfModule mime_module>
  AddHandler application/x-httpd-ea-php73 .php .php7 .phtml
</IfModule>
# php -- END cPanel-generated handler, do not edit

 

[skeccy]

Hi, I tried your htaccess on my site, but using the php 7.4 version once the code is applied, I get this screen: how can I solve? Thanks

<?php /** * Copyright since 2007 PrestaShop SA and Contributors * PrestaShop is an International Registered Trademark & Property of PrestaShop SA * * NOTICE OF LICENSE * * This source file is subject to the Open Software License (OSL 3.0) * that is bundled with this package in the file LICENSE.md. * It is also available through the world-wide-web at this URL: * https://opensource.org/licenses/OSL-3.0 * If you did not receive a copy of the license and are unable to * obtain it through the world-wide-web, please send an email * to [email protected] so we can send you a copy immediately. * * DISCLAIMER * * Do not edit or add to this file if you wish to upgrade PrestaShop to newer * versions in the future. If you wish to customize PrestaShop for your * needs please refer to https://devdocs.prestashop.com/ for more information. * * @author PrestaShop SA and Contributors <[email protected]> * @copyright Since 2007 PrestaShop SA and Contributors * @license https://opensource.org/licenses/OSL-3.0 Open Software License (OSL 3.0) */ require dirname(__FILE__).'/config/config.inc.php'; Dispatcher::getInstance()->dispatch();

[Paul C]

21 minutes ago, skeccy said:

Hi, I tried your htaccess on my site, but using the php 7.4 version once the code is applied, I get this screen: how can I solve? Thanks

<?php /** * Copyright since 2007 PrestaShop SA and Contributors * PrestaShop is an International Registered Trademark & Property of PrestaShop SA * * NOTICE OF LICENSE * * This source file is subject to the Open Software License (OSL 3.0) * that is bundled with this package in the file LICENSE.md. * It is also available through the world-wide-web at this URL: * https://opensource.org/licenses/OSL-3.0 * If you did not receive a copy of the license and are unable to * obtain it through the world-wide-web, please send an email * to [email protected] so we can send you a copy immediately. * * DISCLAIMER * * Do not edit or add to this file if you wish to upgrade PrestaShop to newer * versions in the future. If you wish to customize PrestaShop for your * needs please refer to https://devdocs.prestashop.com/ for more information. * * @author PrestaShop SA and Contributors <[email protected]> * @copyright Since 2007 PrestaShop SA and Contributors * @license https://opensource.org/licenses/OSL-3.0 Open Software License (OSL 3.0) */ require dirname(__FILE__).'/config/config.inc.php'; Dispatcher::getInstance()->dispatch();

The problem may well be with the bit that comes after: "# php -- BEGIN cPanel-generated handler, do not edit".

 If there was a similar block in your original .htaccess I'd leave it alone. If it wasn't there then don't add it.

[skeccy]

@Paul C thanks for your reply. 

I see the problem is: 

# php -- BEGIN cPanel-generated handler, do not edit # Set the “ea-php73” package as the default “PHP” programming language. <IfModule mime_module> AddHandler application/x-httpd-ea-php73 .php .php7 .phtml </IfModule> # php -- END cPanel-generated handler, do not edit

When delete this, the security header protection goes from C to F grade.

Do you have a solution for obtain grade A on prestashop 1.7.7.8 php version 7.4, this is my results:

[Paul C]

I suggest you talk to your hosting support. The .htaccess in the OP should have sorted these on a similarly configured server (in the mod_headers section mainly).

[skeccy]

Ok, thanks a lot. 

[kdmonk1]

Team, When I originally created this post everything was working well and I had a grade "A" from securityheaders.com. Months past by and I go to check my headers and I am at a grade of "F" on securityheaders.com. I have not updated my Prestashop website nor have I changed my .htaccess file. I reached out to cPanel and they stated the following:

"I am able to see that these headers have been added to the .htaccess, however, they do not appear to be applying to the main website response provided by Prestashop.  The headers still only contained:

# curl -I https://mywebsite.com HTTP/1.1 200 OK Date: Fri, 09 Sep 2022 19:58:37 GMT Server: “ServerName” Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: ...; domain=mywebsite.com; secure; HttpOnly; SameSite=Lax Set-Cookie: ...; expires=Thu, 29-Sep-2022 19:58:37 GMT; Max-Age=1727999; path=/; domain=mywebsite.com; secure; HttpOnly; SameSite=Lax Strict-Transport-Security: max-age=300; includeSubDomains; preload Content-Type: text/html; charset=utf-8

It appears that Prestashop may be stripping these headers from the main response, as a request made to any of the assets that is not processed by Prestashop directly has the headers being applied.  For example, accessing the main CSS file (the theme) of your domain shows the correct headers:

# curl -I https://mywebsite.com/themes/default/assets/cache/theme-7f31aa57.css HTTP/1.1 200 OK Date: Fri, 09 Sep 2022 20:01:35 GMT Server: “MyServer” Strict-Transport-Security: max-age=63072000; includeSubDomains X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-Xss-Protection: 1; mode=block Referrer-Policy: strict-origin-when-cross-origin Permissions-Policy: accelerometer=(self); ambient-light-sensor=(self); autoplay=(self); camera=(self); encrypted-media=(self); fullscreen=(self); geolocation=(self); gyroscope=(self); magnetometer=(self); microphone=(self); midi=(self); payment=(self); picture-in-picture=(*); speaker=(self); sync-xhr=(*); usb=(self); vr=(self); Last-Modified: Tue, 01 Feb 2022 12:41:23 GMT Accept-Ranges: bytes Content-Length: 696610 Cache-Control: max-age=63072000, public Expires: Fri, 16 Sep 2022 20:01:35 GMT Vary: Accept-Encoding Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET X-XSS-Protection: 1; mode=block Content-Type: text/css

The logo image in your top header also has these headers being applied:

# curl -I https://mywebsite.com/img/logo-1637629287.jpg HTTP/1.1 200 OK Date: Fri, 09 Sep 2022 20:03:38 GMT Server: “MyServer” Strict-Transport-Security: max-age=63072000; includeSubDomains X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-Xss-Protection: 1; mode=block Referrer-Policy: strict-origin-when-cross-origin Permissions-Policy: accelerometer=(self); ambient-light-sensor=(self); autoplay=(self); camera=(self); encrypted-media=(self); fullscreen=(self); geolocation=(self); gyroscope=(self); magnetometer=(self); microphone=(self); midi=(self); payment=(self); picture-in-picture=(*); speaker=(self); sync-xhr=(*); usb=(self); vr=(self); Last-Modified: Tue, 23 Nov 2021 01:01:27 GMT Accept-Ranges: bytes Content-Length: 3504 Cache-Control: max-age=63072000, public Expires: Sun, 09 Oct 2022 20:03:38 GMT Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET X-XSS-Protection: 1; mode=block Content-Type: image/jpeg

Only responses returned from Prestashop directly appear to have these headers missing, which indicates that Prestashop may or may not be removing these headers to only return its own.
 
We highly recommend placing these security headers in your Apache configuration instead of this website's .htaccess as well.  Your .htaccess is regenerated by Prestashop when it needs to be, and these headers will likely be removed from this file when this occurs.  Please see the following for information on this: How to add nosniif, CORS, HSTS, Clickjack, and X-Xss-Protection headers on a per domain basis. If you have cPanel you can access it to make the changes using this url: https://docs.cpanel.net/whm/service-configuration/include-editor/
 
If you have any additional questions or concerns, please let us know."

 

Once I made the changes on my server, my security headers showed a grade of "A".
 

[bnadauld]

On 9/10/2022 at 5:47 AM, kdmonk1 said:

Team, When I originally created this post everything was working well and I had a grade "A" from securityheaders.com. Months past by and I go to check my headers and I am at a grade of "F" on securityheaders.com. I have not updated my Prestashop website nor have I changed my .htaccess file. I reached out to cPanel and they stated the following:

"I am able to see that these headers have been added to the .htaccess, however, they do not appear to be applying to the main website response provided by Prestashop.  The headers still only contained:

# curl -I https://mywebsite.com HTTP/1.1 200 OK Date: Fri, 09 Sep 2022 19:58:37 GMT Server: “ServerName” Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: ...; domain=mywebsite.com; secure; HttpOnly; SameSite=Lax Set-Cookie: ...; expires=Thu, 29-Sep-2022 19:58:37 GMT; Max-Age=1727999; path=/; domain=mywebsite.com; secure; HttpOnly; SameSite=Lax Strict-Transport-Security: max-age=300; includeSubDomains; preload Content-Type: text/html; charset=utf-8

It appears that Prestashop may be stripping these headers from the main response, as a request made to any of the assets that is not processed by Prestashop directly has the headers being applied.  For example, accessing the main CSS file (the theme) of your domain shows the correct headers:

# curl -I https://mywebsite.com/themes/default/assets/cache/theme-7f31aa57.css HTTP/1.1 200 OK Date: Fri, 09 Sep 2022 20:01:35 GMT Server: “MyServer” Strict-Transport-Security: max-age=63072000; includeSubDomains X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-Xss-Protection: 1; mode=block Referrer-Policy: strict-origin-when-cross-origin Permissions-Policy: accelerometer=(self); ambient-light-sensor=(self); autoplay=(self); camera=(self); encrypted-media=(self); fullscreen=(self); geolocation=(self); gyroscope=(self); magnetometer=(self); microphone=(self); midi=(self); payment=(self); picture-in-picture=(*); speaker=(self); sync-xhr=(*); usb=(self); vr=(self); Last-Modified: Tue, 01 Feb 2022 12:41:23 GMT Accept-Ranges: bytes Content-Length: 696610 Cache-Control: max-age=63072000, public Expires: Fri, 16 Sep 2022 20:01:35 GMT Vary: Accept-Encoding Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET X-XSS-Protection: 1; mode=block Content-Type: text/css

The logo image in your top header also has these headers being applied:

# curl -I https://mywebsite.com/img/logo-1637629287.jpg HTTP/1.1 200 OK Date: Fri, 09 Sep 2022 20:03:38 GMT Server: “MyServer” Strict-Transport-Security: max-age=63072000; includeSubDomains X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-Xss-Protection: 1; mode=block Referrer-Policy: strict-origin-when-cross-origin Permissions-Policy: accelerometer=(self); ambient-light-sensor=(self); autoplay=(self); camera=(self); encrypted-media=(self); fullscreen=(self); geolocation=(self); gyroscope=(self); magnetometer=(self); microphone=(self); midi=(self); payment=(self); picture-in-picture=(*); speaker=(self); sync-xhr=(*); usb=(self); vr=(self); Last-Modified: Tue, 23 Nov 2021 01:01:27 GMT Accept-Ranges: bytes Content-Length: 3504 Cache-Control: max-age=63072000, public Expires: Sun, 09 Oct 2022 20:03:38 GMT Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET X-XSS-Protection: 1; mode=block Content-Type: image/jpeg

Only responses returned from Prestashop directly appear to have these headers missing, which indicates that Prestashop may or may not be removing these headers to only return its own.
 
We highly recommend placing these security headers in your Apache configuration instead of this website's .htaccess as well.  Your .htaccess is regenerated by Prestashop when it needs to be, and these headers will likely be removed from this file when this occurs.  Please see the following for information on this: How to add nosniif, CORS, HSTS, Clickjack, and X-Xss-Protection headers on a per domain basis. If you have cPanel you can access it to make the changes using this url: https://docs.cpanel.net/whm/service-configuration/include-editor/
 
If you have any additional questions or concerns, please let us know."

 

Once I made the changes on my server, my security headers showed a grade of "A".
 

did you get this resolved . im showing F also

[kdmonk1]

H @bnadauld, Yes I got this resolved and it is showing a grade of "A". By making the change on your server, your headers will never change because you control them through your server. If you have a virtual or dedicated server, you should be able to access your .htaccess through root. If you have a shared server, you may need to contact your hosting company. If you have cPanel, you can fill out a ticket and they will assist as well.