Support

Admin Tools

#34007 Plugin HttpHeader necessary?

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by on Wednesday, 09 December 2020 20:17 CST

agolau

Hello,

does it make sens to had the plugin HttpHeader https://extensions.joomla.org/extension/httpheader/

or Admin Tools protect already that too?

Thank you!

 

 

nicholas
Akeeba Staff
Manager

The four headers that the plugin says it provides default for, Admin Tools' .htaccess / NginX Configuration / web.config Maker is better at managing them. It's the same headers, it's just that using a server configuration file applies them on all requests, not just those going through Joomla. This is especially important for HSTS and CORS headers.

Regarding the other headers, I maintain that it's best that you set them up manually, in your server configuration file (.htaccess, web.config or NginX's configuration) than using a plugin for two reasons:

  1. Using a plugin only applies them on requests going through Joomla but not any arbitrary .php scripts, static HTML pages or CSS, JS and other files when accessed directly over the web. This includes SVG files which can be problematic for security (note that Admin Tools provides an option to neuter them).
  2. Defining, for example, which HTML5 capabilities are required on your site necessitates going through your site with a fine comb and mapping the URLs where each capability is used. You then need to construct a header with rules corresponding to the URLs which need those capabilities. Similar considerations apply for all other headers the plugin mentions. At this point constructing the header is the easiest part. The plugin doesn't help you with anything.

For Content Security Policy (CSP) my recommendation is to not mess with it on Joomla 3, it will break stuff. Joomla 4 includes the plugin you mentioned in the core (in fact, the plugin is an adaptation of the same author's work in the Joomla 4 core) with a critical difference. Joomla 4 provides the necessary methods to sign inline JavaScript and CSS either with a per-page token or a cryptographic signature (the latter is still broken as of Joomla 4 beta 4), allowing you to set a very restrictive CSP. Without this Joomla 4 feature any CSP you choose that lets your site work won't make much of a difference with regards to security and any CSP which would increase security would break your site. So it's best to not touch it with Joomla 3.

So, based on all of the above it's best to use Admin Tools because the headers that make sense are best handled at the .htaccess level and they are either already handled by Admin Tools or there is no practical benefit to using a plugin to manage them as opposed to managing them manually.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

System Task
system
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!