Nginx and Permissions-policy

  • Resolved georgegd

    (@georgegd)


    1 month, 3 weeks ago

    My site uses Nginx

    When I scan for Security Headers the result shows missing Permissions-Policy headers. I have W3TC latest version and nginx version 1.26.2. I checked in your forum and saw it fixed. I checked under the file … /public_html/nginx.conf and didn’t see any add_header Permissions-policy on it.

    Maybe something else is needed ?

    Thanks

    The page I need help with: [log in to see the link]

Viewing 10 replies - 1 through 10 (of 10 total)
  • Plugin Contributor Marko Vasiljevic

    (@vmarko)

    Hello @georgegd

    Thank you for reaching out and I am happy to help!
    I’ve checked yoru website and I can see the following sec headers:

    strict-transport-security: max-age=31536000

    x-content-type-options: nosniff
    x-frame-options: SAMEORIGIN
    x-xss-protection: 1; mode=block

    I can also see:

    content-security-policy:
    frame-src 'self' https://websitedemos.net/ blob:; connect-src 'self'; font-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval' blob:; style-src 'self' 'unsafe-inline'; img-src 'self' data: https://*.gravatar.com/ https://websitedemos.net/; media-src 'self'; object-src 'self'; frame-ancestors 'self'; worker-src 'self' blob:; default-src 'self'

    Can you please sahre if you added and configured anything different that is not showing?
    Thanks!

    Thread Starter georgegd

    (@georgegd)

    Thank you for your support.

    I believe the only difference configured in W3TC is manual option instead of automatic for Minify

    Let me know please if some configuration is needed for you to check.

    Plugin Contributor Marko Vasiljevic

    (@vmarko)

    Hello @georgegd

    Thank you for your feedback.
    I was referring to the Permissions-Policy headers. As I’ve already shared those are applied and I’ve shared in the previous reply.

    Thanks!

    Thread Starter georgegd

    (@georgegd)

    Thanks,

    I am not quite sure if these are part of Content Security Policy or Permissions-policy ? When I run test for security headers it shows no Permissions-policy are applied. Is there something I am missing ?

    Plugin Contributor Marko Vasiljevic

    (@vmarko)

    Hello @georgegd

    Thank you for your feedback.
    Have you enabled both CSP and Permission policy?
    Can you please sahre the screenshot of the Security headers section in Performance>Browser Cache and the content of the nginx.conf?

    Thanks!

    Thread Starter georgegd

    (@georgegd)

    Hello @vmarko

    Thanks for your support

    Yes, I have enabled both CSP and Permissions Policy

    Security headers section seems too long and print screen seems to be not quite practical because a lot of print screens will be needed, is there something I can do to kind of export the config and send via an email ? nginx.conf is also too long, below is part of it. Please let me know if it helps.

    # BEGIN W3TC Browser Cache
    gzip on;
    gzip_types text/css text/x-component application/x-javascript application/javascript text/javascript text/x-js text/richtext text/plain text/xs>
    location ~ \.(css|htc|less|js|js2|js3|js4)$ {
        expires 31536000s;
        etag on;
        if_modified_since exact;
        add_header Pragma "public";
        add_header Cache-Control "public";
        add_header Strict-Transport-Security "max-age=31536000";
        add_header X-Frame-Options "SAMEORIGIN";
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Content-Type-Options "nosniff";
        add_header Referrer-Policy "strict-origin-when-cross-origin";
        add_header Content-Security-Policy "frame-src 'self' https://websitedemos.net/ blob:; connect-src 'self'; font-src 'self' data:; script-src>
        try_files $uri $uri/ /index.php?$args;

    ''''''

    add_header Strict-Transport-Security "max-age=31536000";
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";
    add_header Referrer-Policy "strict-origin-when-cross-origin";
    add_header Content-Security-Policy "frame-src 'self' https://websitedemos.net/ blob:; connect-src 'self'; font-src 'self' data:; script-src 'se>
    # END W3TC Browser Cache
    Plugin Contributor Marko Vasiljevic

    (@vmarko)

    Hello @georgegd

    Thank you for your feedback.
    Can you please share the screenshot of the Perofmance>Browser Cache>Feature-Policy / Permissions-Policy?
    Also, can you please check the Performance>Install tab and let me know if the FP headers are added?
    Thanks!

    Thread Starter georgegd

    (@georgegd)

    Hello @vmarko

    I created a simple page on my website with two print screens on it as per your 2 points above

    Here is the link

    envisionvirtualspace.design/w3tc-print-screen/

    Let me know please if other info is needed

    Thank you

    Plugin Contributor Marko Vasiljevic

    (@vmarko)

    Hello @georgegd

    Thank you for your feedback.
    So I can see that it is enabled however, you haven’t added any attributes in the fields.

    Example: ‘self’ ‘src’ ‘none’ *.domain.com”

    There is actually nothin to add based on your configuration

    Thanks!

    Thread Starter georgegd

    (@georgegd)

    Hi @vmarko

    Thank you for your kind support

    I’ll try to configure it and will come back if something else may be needed!

Viewing 10 replies - 1 through 10 (of 10 total)
  • You must be logged in to reply to this topic.