Security Features - gtbu/Typesetter5.2 GitHub Wiki

A CMS has always problems with Hackers who want to damage or overtake the cms. Typesettercms uses php htmlspecialcharacters and a nonce. The login is optionally encrypted and after repeated incorrect password the login is blocked for 15 minutes. However, unreliable users may try lo load external code and against some XSS methods only a WAF with filters helps.

CSP - rules and HSTS protect against XSS together with a WAF.

Plugins like fail2ban are always recommended.

A local WAF like modsecurity and Safeline or shieldon watches and protects the traffic.

Typesettter has a 404-errorpage. The text is editable in the cms.

The user should always control during login, whether at the loginpage domain.com/Admin or similar a long string is appended. Then is small danger for XSS - ownership-hack or similar.

• At Sucuri - Sitecheck is a free possibility to check the installation.

• A free SSL-Checker

• A DMARC check tool

• CSP Check

• Check HTTP Strict Transport Security/HSTS

• Check HSTS test website

• Check WebPageTest

• Check CSP test website - csper.io/evaluator

• Check CSP Evaluator - csp-evaluator with google.com

• CSP Content Security Policy Generator - addons.mozilla.org

• Email security DKIM

• Browser CSP Test

---

Some users may get a message that a certificate is unsafe (fopen(): Peer certificate CN=tp531test.abc' did not match expected CN=www.tp531test.abc.page' in: /var/www/vhosts/abc/tp531test/tp531test/include/tool/RemoteGet.php on line: 191 ).

1. allow_url_fopen must be enabled: This allows PHP to even try to open a remote URL with fopen(). If this is off, you'll get a different error, or the RemoteGet function will fail silently.

2. The SSL Certificate must be valid: Even with allow_url_fopen enabled, PHP will still perform a security check on the SSL certificate. If the certificate name doesn't match the requested URL (your original CN did not match error), the connection will be blocked. (Include www)

---

Cacert

If You get errors of unsafe certification then evtl. a local cacert.pem can help, which has to be renewed periodically.

1. Some providers allow a userspecific php.ini in /cert.

curl.cainfo = /cert/cacert.pem
openssl.cafile = /cert/cacert.pem

Key Details:

curl.cainfo: Ensures cURL functions use the specified CA bundle.

openssl.cafile: Configures OpenSSL (used by PHP's streams, HTTPS, and SSL/TLS contexts).

Use absolute paths (/cert/cacert.pem) for reliability.

2. Verify File Permissions

Ensure the web server user (e.g., www-data) has read access to the certificate:

bash sudo chmod 644 /cert/cacert.pem

3. Restart PHP/PHP-FPM

Apply the changes:

bash

• For PHP-FPM (common with NGINX/Apache): sudo systemctl restart php-fpm.service

• For Apache with mod_php: sudo systemctl restart apache2

4. Verify Configuration

Create a test.php file in your CMS root with:

php
<?php
phpinfo();

Access it via browser and search for curl.cainfo and openssl.cafile to confirm the paths. Optional: Environment-Specific Notes

If using Docker/Containers, ensure /cert is mounted correctly.

For shared hosting, place cacert.pem in your home directory and adjust the path (e.g., /home/username/cert/cacert.pem).

This setup ensures PHP uses your custom CA bundle for secure HTTPS requests.

HSTS

• Browsing history leaks: If a user clicks on an HTTP link to a site, an on-path network observer can see that URL. If the site has an HSTS policy that is enforced, the browser upgrades that URL to HTTPS and the path is not visible to the network observer.
• Protocol downgrades: If a site redirects from HTTP to HTTPS, an on-path network attacker can intercept and re-write the redirect to keep the browser using plaintext HTTP.
• Cookie hijacking: On HTTP requests, an on-path network attacker can see and modify cookies. Even if the site redirects to HTTPS, the on-path attacker can inject cookies into the redirect response.

htaccess :  

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" 

php :

header('Strict-Transport-Security: max-age=31536000; includeSubDomains; preload');

• Hstspreload

CSP

A Content Security Policy is a security feature that helps prevent cross-site scripting (XSS) attacks.

There are several implementation methods

1. Entry into page-header as a Meta like

<meta http-equiv="Content-Security-Policy" content="
   default-src 'self';
   img-src 'self' data: cdn.jsdelivr.net unsplash.com *.wikimedia.org;
   font-src 'self' fonts.googleapis.com fonts.gstatic.com;
   script-src 'self' 'unsafe-inline' cdnjs.cloudflare.com;
   style-src 'self' 'unsafe-inline' fonts.googleapis.com;
">
This blocks 95 % of XSS attacks

2. A php security header library : Sensitive for php-overloading during attacks (so that the php - code is not executed )

3. Entry into htaccess or Nginx-confg : Safe - but for Nginx You need sudo-rights

• Apache (.htaccess)

Header set Content-Security-Policy "default-src 'self'; frame-src 'self' https://archive.org https://*.google.com https://www.youtube.com https://www.youtube-nocookie.com; script-src 'self' 'unsafe-inline' https://archive.org https://cdn.jsdelivr.net https://cdnjs.cloudflare.com https://*.google.com https://assets.github.com; style-src 'self' 'unsafe-inline' https://assets.github.com; connect-src 'self' https://archive.org *.archive.org https://*.google.com https://api.github.com; img-src 'self' data: avatars.githubusercontent.com camo.githubusercontent.com https://upload.wikimedia.org *.ytimg.com; font-src 'self' data: https://assets.github.com;"

• Nginx (/etc/nginx/sites-available/your-domain.conf)

   # Add your Content-Security-Policy header here
  add_header Content-Security-Policy "default-src 'self'; frame-src 'self' https://archive.org https://*.google.com https://www.youtube.com https://www.youtube-nocookie.com; script-src 'self' 'unsafe-inline' https://archive.org https://cdn.jsdelivr.net https://cdnjs.cloudflare.com https://*.google.com https://assets.github.com; style-src 'self' 'unsafe-inline' https://assets.github.com; connect-src 'self' https://archive.org *.archive.org https://*.google.com https://api.github.com; img-src 'self' data: img.youtube.com avatars.githubusercontent.com camo.githubusercontent.com https://upload.wikimedia.org *.ytimg.com; font-src 'self' data: https://assets.github.com;" always;

    location / {
        try_files $uri $uri/ =404;
    }

The scheme is

server {
    listen 80;
    server_name your-domain.com www.your-domain.com;

    # ... other server settings ...

    # THIS IS THE CORRECT LINE YOU NEED TO ADD
    add_header Content-Security-Policy "default-src 'self'; frame-src 'self' https://archive.org https://*.google.com; script-src 'self' 'unsafe-inline' https://archive.org https://cdn.jsdelivr.net https://cdnjs.cloudflare.com https://*.google.com https://assets.github.com; style-src 'self' 'unsafe-inline' https://assets.github.com; connect-src 'self' https://archive.org *.archive.org https://*.google.com https://api.github.com; img-src 'self' data: img.youtube.com avatars.githubusercontent.com camo.githubusercontent.com; font-src 'self' data: https://assets.github.com;" always;

    location / {
        # This is where your website's files are located
        root /var/www/html;
        index index.html index.htm;
    }

    # ... other settings like SSL if you have them ...
}

• nitinfotech

• htaccessbook

• content-security-policy

• Mozilla CSP Guides