Mailing List Archive

On Wed, Sep 1, 2021 at 7:30 PM Dave Wreski
<dwreski@guardiandigital.com.invalid> wrote:
>
> Hi,
>
> I ran a security scan for X-Frame-Options (https://gf.dev/x-frame-options-test) on our site (https://linuxsecurity.com), and it returned SAMEORIGIN, which is good, but it also returned GOFORIT.
>
> The only settings we have are the following:
>
> <IfModule mod_headers.c>
> Header set X-XSS-Protection "1; mode=block"
> Header set X-Frame-Options "SAMEORIGIN"
> Header set X-Content-Type-Options "nosniff"
> Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
> Header set Feature-Policy "geolocation 'self'; vibrate 'none'"
> Header set Content-Security-Policy "frame-ancestors 'self'"
> </IfModule>
>
> No where are we setting GOFORIT. Is it somehow the default and necessary to explicitly disable it?

No. I'd veifry with a command-line client and see if it happens even
for static files.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Hi, it looks like it doesn't occur with static files using lynx. I also
checked with the homepage, and same result - X-Frame-Options only shows
SAMEORIGIN and does not include GOFORIT.

$ lynx -head -dump
https://linuxsecurity.com/static-content/linuxsecurity_advisories.xml
HTTP/1.1 200 OK
Date: Thu, 02 Sep 2021 15:08:39 GMT
Content-Type: text/xml
Connection: close
Last-Modified: Thu, 02 Sep 2021 15:00:02 GMT
ETag: W/"2282-5cb046ff9b981-gzip"
Cache-Control: max-age=300
Expires: Thu, 02 Sep 2021 15:12:20 GMT
Vary: Accept-Encoding,User-Agent
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Feature-Policy: geolocation 'self'; vibrate 'none'
Content-Security-Policy: frame-ancestors 'self'
Strict-Transport-Security: max-age=63072000; includeSubDomains
X-Content-Type-Options: nosniff
Age: 78
X-Cache: HIT from linuxsecurity.com
X-Cache-Detail: "cache hit" from linuxsecurity.com
CF-Cache-Status: DYNAMIC
Expect-CT: max-age=604800,
report-uri="https://report-uri.cloudflare.com/cdn-cgi
/beacon/expect-ct"
Report-To:
{"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Uk
C0MKV7N2kk6yllw9WQA5IlyNXkPlocDP9bk4SdU3geD8ODmI7n2W11DoMmsuRiQ6RImPfZSkCRSGZynM
qvwjLGZ1qs5WN0WpFfnVoPI85wlD%2BF76XyY7Yc0T9zJz6G68YM"}],"group":"cf-nel","max_ag
e":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 6887a7a89cc5f031-EWR

Does that mean the test I used that showed GOFORIT is inaccurate?

The scan also reported that the permissions header was incorrect, and
suggested we add the following:

Permissions-Policy: interest-cohort=()

Do you have any recommendations for other security settings that should
be configured:

<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-Content-Type-Options "nosniff"
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
Header set Feature-Policy "geolocation 'self'; vibrate 'none'"
Header set Content-Security-Policy "frame-ancestors 'self'"
</IfModule>

Thanks,
Dave

On 9/1/21 7:43 PM, Eric Covener wrote:
> On Wed, Sep 1, 2021 at 7:30 PM Dave Wreski
> <dwreski@guardiandigital.com.invalid> wrote:
>> Hi,
>>
>> I ran a security scan for X-Frame-Options (https://gf.dev/x-frame-options-test) on our site (https://linuxsecurity.com), and it returned SAMEORIGIN, which is good, but it also returned GOFORIT.
>>
>> The only settings we have are the following:
>>
>> <IfModule mod_headers.c>
>> Header set X-XSS-Protection "1; mode=block"
>> Header set X-Frame-Options "SAMEORIGIN"
>> Header set X-Content-Type-Options "nosniff"
>> Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
>> Header set Feature-Policy "geolocation 'self'; vibrate 'none'"
>> Header set Content-Security-Policy "frame-ancestors 'self'"
>> </IfModule>
>>
>> No where are we setting GOFORIT. Is it somehow the default and necessary to explicitly disable it?
> No. I'd veifry with a command-line client and see if it happens even
> for static files.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org

Hi, revisiting a post from last week regarding X-Frame-Options and
security settings. I performed a security scan of
https://linuxsecurity.com using immuniweb
(https://www.immuniweb.com/websec/linuxsecurity.com/QoioHb5H/
<https://www.immuniweb.com/websec/linuxsecurity.com/QoioHb5H/>) and it
showed we were setting GOFORIT and SAMEORIGIN. I'm unable to determine
where GOFORIT is being set, as we're not doing it manually, and I can't
locate it within an htaccess or in the virtual host config.

I also used geekflare (https://gf.dev/x-frame-options-test) and it also
reported that we were using both GOFORIT and SAMEORIGIN values.

I used lynx to dump the headers and it only displays SAMEORIGIN, as it
should.

Where else can I look to see where this option is being set?

Thanks,
Dave

On 9/1/21 7:43 PM, Eric Covener wrote:
> On Wed, Sep 1, 2021 at 7:30 PM Dave Wreski
> <dwreski@guardiandigital.com.invalid> wrote:
>> Hi,
>>
>> I ran a security scan for X-Frame-Options (https://gf.dev/x-frame-options-test) on our site (https://linuxsecurity.com), and it returned SAMEORIGIN, which is good, but it also returned GOFORIT.
>>
>> The only settings we have are the following:
>>
>> <IfModule mod_headers.c>
>> Header set X-XSS-Protection "1; mode=block"
>> Header set X-Frame-Options "SAMEORIGIN"
>> Header set X-Content-Type-Options "nosniff"
>> Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
>> Header set Feature-Policy "geolocation 'self'; vibrate 'none'"
>> Header set Content-Security-Policy "frame-ancestors 'self'"
>> </IfModule>
>>
>> No where are we setting GOFORIT. Is it somehow the default and necessary to explicitly disable it?
> No. I'd veifry with a command-line client and see if it happens even
> for static files.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org

On Thu, Sep 9, 2021 at 7:57 PM Dave Wreski
<dwreski@guardiandigital.com.invalid> wrote:
>
> Hi, revisiting a post from last week regarding X-Frame-Options and security settings. I performed a security scan of https://linuxsecurity.com using immuniweb (https://www.immuniweb.com/websec/linuxsecurity.com/QoioHb5H/) and it showed we were setting GOFORIT and SAMEORIGIN. I'm unable to determine where GOFORIT is being set, as we're not doing it manually, and I can't locate it within an htaccess or in the virtual host config.
>
> I also used geekflare (https://gf.dev/x-frame-options-test) and it also reported that we were using both GOFORIT and SAMEORIGIN values.
>
> I used lynx to dump the headers and it only displays SAMEORIGIN, as it should.
>
> Where else can I look to see where this option is being set?

Find your in use LogFormat and add %{X-Frame-Options}o . Then run one
of those failing tests, uncached.
If it's not logged with "GOFORIT" it's not coming from Apache or
anything behind it.

AFAICT Google says "GOFORIT" is a hack to "break" an X-Frame-Options
when you don't have access to change it.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

??, 2 ????. 2021 ?. ? 18:18, Dave Wreski <dwreski@guardiandigital.com.invalid>:
>
> <IfModule mod_headers.c>
> Header set X-XSS-Protection "1; mode=block"
> Header set X-Frame-Options "SAMEORIGIN"

https://httpd.apache.org/docs/2.4/en/mod/mod_headers.html#header

What headers are returned by error pages and by redirects (e.g. 302
redirect when requesting a directory without a trailing '/')?
What headers are returned by dynamic responses (proxied or CGI), if
you have any?

Maybe like this, adapting an example from the docs:

Header onsuccess unset X-Frame-Options
Header always set X-Frame-Options "SAMEORIGIN"

> Header set X-Content-Type-Options "nosniff"
> Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
> Header set Feature-Policy "geolocation 'self'; vibrate 'none'"
> Header set Content-Security-Policy "frame-ancestors 'self'"
> </IfModule>
>

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

> https://httpd.apache.org/docs/2.4/en/mod/mod_headers.html#header
>
> What headers are returned by error pages and by redirects (e.g. 302
> redirect when requesting a directory without a trailing '/')?
> What headers are returned by dynamic responses (proxied or CGI), if
> you have any?

It appears to mostly be caused by bots, and on 200 pages like the homepage:

172.70.34.154 - - [10/Sep/2021:10:55:39 -0400] "GET / HTTP/1.1" 200
80189 "-" "Slackbot 1.0 (+https://api.slack.com/robots)" X:"GOFORIT"
4/4115336 704/88978/80189 H:HTTP/1.1 U:/index.php

Notice I've added the X-Frame-Options header to the LogFormat.

> Maybe like this, adapting an example from the docs:
>
> Header onsuccess unset X-Frame-Options
> Header always set X-Frame-Options "SAMEORIGIN"

That fixed it, thanks.

I'm now curious how it's apparently being set by default to include GOFORIT?

Thanks,
Dave

On Fri, Sep 10, 2021 at 11:03 AM Dave Wreski
<dwreski@guardiandigital.com.invalid> wrote:
>
>
> https://httpd.apache.org/docs/2.4/en/mod/mod_headers.html#header
>
> What headers are returned by error pages and by redirects (e.g. 302
> redirect when requesting a directory without a trailing '/')?
> What headers are returned by dynamic responses (proxied or CGI), if
> you have any?
>
> It appears to mostly be caused by bots, and on 200 pages like the homepage:
>
> 172.70.34.154 - - [10/Sep/2021:10:55:39 -0400] "GET / HTTP/1.1" 200 80189 "-" "Slackbot 1.0 (+https://api.slack.com/robots)" X:"GOFORIT" 4/4115336 704/88978/80189 H:HTTP/1.1 U:/index.php
>
> Notice I've added the X-Frame-Options header to the LogFormat.
>
> Maybe like this, adapting an example from the docs:
>
> Header onsuccess unset X-Frame-Options
> Header always set X-Frame-Options "SAMEORIGIN"
>
> That fixed it, thanks.
>
> I'm now curious how it's apparently being set by default to include GOFORIT?

Is the PHP script being called part of some large app or using some
framework? That'd be my guess.
The upstream distribution of httpd would never set anything like that
by default.



--
Eric Covener
covener@gmail.com

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

>> https://httpd.apache.org/docs/2.4/en/mod/mod_headers.html#header
>>
>> What headers are returned by error pages and by redirects (e.g. 302
>> redirect when requesting a directory without a trailing '/')?
>> What headers are returned by dynamic responses (proxied or CGI), if
>> you have any?
>>
>> It appears to mostly be caused by bots, and on 200 pages like the homepage:
>>
>> 172.70.34.154 - - [10/Sep/2021:10:55:39 -0400] "GET / HTTP/1.1" 200 80189 "-" "Slackbot 1.0 (+https://api.slack.com/robots)" X:"GOFORIT" 4/4115336 704/88978/80189 H:HTTP/1.1 U:/index.php
>>
>> Notice I've added the X-Frame-Options header to the LogFormat.
>>
>> Maybe like this, adapting an example from the docs:
>>
>> Header onsuccess unset X-Frame-Options
>> Header always set X-Frame-Options "SAMEORIGIN"
>>
>> That fixed it, thanks.
>>
>> I'm now curious how it's apparently being set by default to include GOFORIT?
> Is the PHP script being called part of some large app or using some
> framework? That'd be my guess.
> The upstream distribution of httpd would never set anything like that
> by default.

Yes, the PHP script is part of Joomla. Great thought. I'll investigate
there.





>
>
>