Revisting Security Headers for Joomla

Written by: Shahbaz Latif Created: 07 February 2024

Category: Watch Me Work Live Streams

Hot!Hits: 647Reading time: 02:00

I've got some catch-up work to do around security headers so watch me while I work.

00:00:00 - Introduction Revisiting Security Headers & Joomla Training Cohort Preview
00:06:26 - Security Headers Implementation
00:31:44 - Technical Debugging
01:18:58 - Joomla-Specific Fixes
01:29:51 - Cache & Headers Investigation
01:54:24 - Wrap-Up & Cohort Prep

✅ Summary

Introduction & Setup Context
The stream kicks off with a welcome, a shoutout to the sponsor MySites.Guru, and a fun weather update from the West Coast. Tim addresses feedback on stream style and highlights a recent DMARC tutorial.
Security Headers Review Begins
Focus shifts to security headers, checking for existing ones on a client site (Delta Beckwith). None are found in the .htaccess, prompting a walkthrough of adding default headers.
Implementing & Debugging Content Security Policy (CSP)
Tim adds an initial CSP configuration but runs into issues with blocked resources. The iterative nature of CSP setup becomes evident as domains like js.hsforms.net and Google resources are incrementally whitelisted.
Using Tools like CSP Generator Extension
He installs and tests the CSP Generator Chrome extension, attempting to collect all necessary resources. Inline scripts and styles prove tricky, especially when Notepad visibility causes sharing hiccups.
Syntax Errors & Browser Cache Challenges
Troubleshooting reveals CSP syntax issues (e.g., “frame-ancestors” placement). Cache problems in Brave, Chrome, and even Tor create hurdles in validating changes.
ChatGPT Helps Debug CSP Directives
Tim consults ChatGPT several times to spot and correct errors in the CSP setup. Eventually, the "frame-ancestors" issue and domain typos are resolved.
Form & GIF Image Load Issues
After multiple adjustments, the HubSpot form loads but GIFs remain blocked. Investigation leads to identifying browser cache behavior and server-related issues.
Fixing Link & Redirect Problems
The contact form's link doesn’t work without "www". Tim tracks this down to a hardcoded link and incorrect redirect settings in cPanel. DNS and caching are also checked.
Exploring "Clear Site Data" Header
There's a deep dive into this privacy-related header. Its correct syntax and implications are discussed with input from Brent and users in the chat.
Final CSP Adjustments & Success
A cleaner CSP configuration emerges through trial and error. Removing problematic directives (like no-transform) results in GIFs loading properly, and Tim wraps up after a successful CSP implementation journey.