Security Vulnerability for HL Websites
J
Jeff Valin
Enable locations to set security headers for domains. Test your HighLevel web builder domains on www.securityheaders.com or www.internet.nl! Most WordPress sites face similar problems, but plugins can address them.
To secure the headers for an HL domain some knowledge of Cloudflare (or registrar of use). In the case of Cloudflare, also a small hack. I could change an F grade on securityheaders.com but can not get an A+ because GHL web builder uses inline CSS & JS. I did manage to get a 34% score on internet.nl to 100%. The missing piece is setting the Content Security Policy (CSP).
Because the Web and Funnel Builders write custom JS and CSS inline in the <head> section of the page it is impossible to set a content policy without setting the unsafe-inline & unsafe-eval options. Having this exposure a website is vulnerable to cross-site scripting (XSS) and data injection attacks that can be used for data theft, site defacement, and malware distribution.
There's a planned feature request for global styling (https://highlevel.canny.io/website/p/global-styling-on-website-and-funnel-build). I hope it includes providing custom CSS and JS as links, enabling better domain security. Removing inline scripts, whether or not CSP is in place, greatly enhances security and performance scores.
R
Raymond N Baker
I contacted HL success support and they pointed me to https://ideas.gohighlevel.com/changelog/security-headers-in-funnels-websites
I replaced all my initial entries to what this article was providing and it would not get a change, then I placed them in the same order as the article and it changed from a F to an A+... did that really help or did the changes needed time to propagate? I don't know
@Jeff, how did you get the 100%, I'm now at 52%.
Please help
R
Raymond N Baker
Hey Jeff, I see you wrote this last year, is there any tutorial or screenshot you could share as I think I followed your above post to the t and it is not changing my results from those two testers. I'm attaching a screenshot of what I've inputted for my website. Could you review and comment if I'm making any mistake? How long do those get propagated for testers to view the updates? I re-published each page, still made no difference.
Right now I've got an F and 49% and even after all these changes.
J
Jeff Valin
To help with the inline script and inline style security vulnerability can DEV team add in 'nonce' attributes?
<script nonce="RanDoCode">
doWhatever();
</script>
Where RanDoCode would be uniquely generated.
This would allow Content Security Policies to have the nonce codes into the policy to protect against an XXS attack.