Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • piiiiiiiiii 8 posts 28 karma points
    Aug 12, 2020 @ 09:40
    piiiiiiiiii
    0

    Health Check Security Fixes not saving

    Hello, After i do the fixes on Security Protocols in Healthcheck - they dont seem to stay in place. It doesnt matter if i set the headers in config through the backoffice or directly in web.config. They all are reverting as errors in Health Check. Any ideas how i can make the fixes permanent? or what is overwriting them to be errors again? The web.config has the headers saved.

  • Steve Morgan 1208 posts 3922 karma points c-trib
    Aug 12, 2020 @ 13:53
    Steve Morgan
    0

    This is likely due to your permissions. The website isn't able to update the web.config.

    Probably easiest thing to do is make the changes locally then upload the updated web.config.

  • piiiiiiiiii 8 posts 28 karma points
    Aug 17, 2020 @ 08:09
    piiiiiiiiii
    0

    Hi Steve, I have tried the updating the web.config file manually. The Health check is not recognizing that the headers are set and proceeds to show them as not set with option to fix in back office.

  • Steve Morgan 1208 posts 3922 karma points c-trib
    Aug 17, 2020 @ 09:58
    Steve Morgan
    0

    Hi,

    Sounds like you have something weird going on. Where are you hosting this and what version?

    I've just tried this on Umbraco v8 and manually changing the settings reflects in my Health Check. Are you sure there's not something in the hosting overriding your web.config?

    You know also that some of the settings are in /config/UmbracoSettings.config ?

  • lori ryan 162 posts 470 karma points
    1 week ago
    lori ryan
    0

    I also get this behaviour. The following headers are in my web.config

    <httpProtocol>
      <customHeaders>
        <remove name="X-Powered-By" />
        <remove name="X-Frame-Options" />
        <add name="X-Frame-Options" value="sameorigin" />
        <remove name="X-Content-Type-Options" />
        <add name="X-Content-Type-Options" value="nosniff" />
        <remove name="Strict-Transport-Security" />
        <add name="Strict-Transport-Security" value="max-age=10886400" />
        <remove name="X-XSS-Protection" />
        <add name="X-XSS-Protection" value="1; mode=block" />        
      </customHeaders>
    </httpProtocol>
    

    However my security health check fails to see that these are set. The IUSR and applicationPool both have read rewrite permissons to the web.config. The other issue I have is that the security check cant resolve the domain name. Am hosting in the Azure. Any help in getting this resolved would be great.

  • piiiiiiiiii 8 posts 28 karma points
    7 days ago
    piiiiiiiiii
    0

    It is still an issue, but i believe it is going along the lines for domains and iis changes. The bindings for ports is a strange configuration and we are currently looking to bring them more in line. as this site is a live site - we are just trying to schedule that in.

    I know it doesnt really answer the question - just an update i guess from my point.

Please Sign in or register to post replies

Write your reply to:

Draft