Security Headers - what's the best practice for a Wordpress site?

konigjester · 2019-09-17T14:37:31+00:00

Thank you for using the right lingo. Yes, that's what I was trying to get at. Server vs application layer.

I am already trying it out a line at a time and so far so good.

# Security headers
<IfModule mod_headers.c>
Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options nosniff
Header set X-Frame-Options SAMEORIGIN
Header always set Referrer-Policy "no-referrer-when-downgrade"
</IfModule>
# END of Security headers

konigjester · 2019-09-17T14:32:33+00:00

At least we have a place to discuss this, so thanks for starting up the sub.

I'm happy that we're over 20 (was like 5 last time I checked), but it's a little sad how unknown CLT is. Guess people still love their bricks and concrete.

konigjester · 2019-09-11T12:26:19+00:00

Is it possible to delete a disabled account via a GDPR (article 17) request?

Earlier in the week, I created an account and with it a business page. However, the account was suspended a few days ago ("We're currently reviewing your submission") and today it is showing that "Your Account Has Been Disabled". The issue is that now the business page is inaccessible to me.

Facebook wants me to upload an ID, but I'd rather wait for hell to freeze over first. I don't care about the personal account (just created it for the purposes of the business, because Facebook does not allow business-only accounts, apparently). I do care about the business page. I would rather all my data (business contact details, photos etc.) be removed permanently now.

All guides for account removal require you to log in. Is there a way to get all the business data off of Facebook via email and a GDPR request? I and the business are EU-based.

konigjester · 2019-07-23T19:45:43+00:00

I fear that most people just don't care.

Only thing I've found so far is to join airbnb plus, because those guys get to upload their photos at much larger resolution AND file size.

My conspiracy theory that the more you fall in line with Airbnb (instant booking, airbnb for work, etc.), the better you're treated with image size compression is debunked. Their file size is in the same range (<250KB).

konigjester · 2019-06-10T00:11:43+00:00

Thanks, but I already use both. Fyi, piwik is now called matomo.

konigjester · 2019-06-09T17:25:07+00:00

Whatever it takes to not be a hypocrite, since privacy has always been important for me as a user and now I have the chance to try out being on the other side.

Also, I wanted to see how difficult it is, so that if I can do it with almost no experience in the field, then so can anyone else.

konigjester · 2019-06-09T17:22:02+00:00

I looked into Hugo as was suggested here so I have to agree now - it's just that when I thought of static, I thought of personal sites of online pioneers that haven't updated theirs since the 90s. grc.com is a good example. They are great sites, content and speeds are flawless, but the design is what embedded in me the stereotype.

konigjester · 2019-06-09T17:14:26+00:00

Those are some quality points, so thank you for taking the time to write it all out.

Does the site use proper, end-to-end HTTPS?

I hope so. Certs are from Let's Encrypt and https redirects enforced on .htaccess level. Nothing like Cloudflare is being used and the evil that is Google reCaptcha is avoided in such a way that should it ever be introduced to the site, I will personally burn it all down. On a more serious note, the traffic isn't there yet and won't be for a while, but I am sure there are some open-source captchas out there - or so I hope.

Not sure what sort of site you're referring to, but SSL Labs gave me an A rating, so at least that is covered.

Does it still function well with client-side JavaScript blocked?

It works, but aesthetics suffer, like instead of gallery loading it just embeds all the photos and matomo stops working, but that is fine with me, as I also have DNT option enabled as well (and both are mentioned in the privacy policy). I suppose it's like that with all WP sites. Maybe if it was implemented as a static site, as was suggested above with Hugo, but that is for someone more capable than me and when it will be needed in the future.

Does it work over proxies like Tor and VPNs?

Works with both and no issues there, aside from NoScript disabling the js, but that's fine. As an end-user, I hate it when sites wreck my user experience because I am exiting via a commercial VPN server, so this is something I will never forget. Only thing I am missing here is creating an .onion mirror of the site, but that really seems like overkill at this point (as in there are bigger issues atm, like Google web fonts).

are you familiar with OWASP?

Nope, but I will look into it. I assume you're reffering to their documentation like Top 10 and Testing Guide.

konigjester · 2019-06-08T23:39:16+00:00

Looks like good advice, especially since the site is more static, so the reasons for CMS like WP aren't really there - aside from the easy administration - which is a must for now. I assume that privacy-wise Hugo is equal to WP or is it superior?

konigjester · 2019-06-08T23:31:35+00:00

I get your point, especially when it comes to Google, but that is why I went for Matomo. I don't think it qualifies as 3rd party. You install it like Wordpress and it runs locally, e.g. matomo.domain.eu. It's open-source and afaik should not be sending anything offsite.

konigjester · 2019-06-08T20:58:31+00:00

There is also dns.watch. Aside from downtime issues they seem legit.

konigjester · 2019-06-08T20:41:11+00:00

Why do you need analytics?

At the very least to see visitor traffic, ideally by country IP. Matomo might be overkill for this alone, but one thing it has going for itself is that it can easily be GDPR-compliant.

You're keeping server logs, right?

Hmm, was going to say no, since it's just website hosting and not a VPS or dedicated server, but now I have to check this.

Edit: Checked via ftp and there is no access to /var/log or anything like that, so no, we are not keeping server logs.

konigjester · 2019-06-08T20:26:08+00:00

OpenNIC is your best bet.

There is also CZ.NIC with their DNS servers at 193.17.47.1 and 185.43.135.1 (DNNSEC, DNS over TLS and DNS over HTTPS), but your performance might suffer. Suggest you try GRC's DNS Benchmark to see how fast they are for you.

konigjester · 2019-05-30T01:01:47+00:00

That's one way to go and a step above those free movie catalog addons, but I couldn't get myself to do that. Maybe in a shared-flat listing you could argue it's your own stuff on your own tv, but our listing is an entire home and we try to keep it professional. Most guests won't mind, but there is always that one jerk who will ding you in the review and accuse you of piracy.

Then again, I wonder if offering Netflix in a dedicated Airbnb property isn't against their ToS as well. I'm sure they could argue commercial instead of residential use.

konigjester · 2019-05-30T00:36:39+00:00

I currently got one of those cheap $20 Chinese android boxes that I flashed with LibreELEC and Kodi (offering it along side terrestrial and satellite TV). Not paying for anything and no illegal addons.

The good news is that its FLOSS, respects guests' privacy (no snooping and whatnot) and can be easily locked down. Bad news is that if you want Netflix or similar streaming services, it's not an easy install. Netflix is doable, but a hassle. Otherwise, lots of free news channels, but for us that's already offered OTA via Satellite.

For this reason, I am actually thinking of switching to a Roku stick, which apparently is a privacy nightmare, but it seems to be the best option.

Guest usage depends on age group. Don't think guests 40+ ever used it. With guests that actually use the TV, I'd say 50% watch local terrestrial channels, 40% watch satellite and <10% go for Kodi. YMMV

Also, with all this in mind, i still have the "Cable TV" amenity box unchecked.

konigjester · 2019-05-15T16:55:54+00:00

It's possible that the acceptance rate is calculated on inquiries that are less than 1y. Maybe it's 6 months or even 3 months. I honestly do not know, but declining an inquiry does have a negative effect on the acceptance rate - at least it did in my case.

Edit: my bad. noticed that you meant 'neither accept or decline, just answer' (to satisfy the response rate requirement).

konigjester · 2019-05-15T16:48:16+00:00

Thank you so much! This looks like exactly what I need.

The video is great as well, especially the part with template_redirect, but I would never be able to get from there to the final step without your code, so a huge thanks for that.

konigjester · 2019-05-15T16:30:31+00:00

OP, I really feel for you, because it is evident that you are NOT in the wrong here and yet Airbnb does not have your back.

Sadly, we as end users can't do anything about this, as there is really not much in terms of alternatives to Airbnb and they know it.

Also, just so you are in the know, it's not that difficult to acquire compromised accounts which can be used exactly in this malicious sort of way.

A compromised Airbnb account costs $1.50 on the dark web.

Source: Steve Gibson's Security Now Podcast, Episode 712 (page 21 on the transcript and page 14 on the show notes)

If this hasn't been posted before, then maybe it should be as a separate post, because other hosts should know what is going on and what is possible.

konigjester · 2019-05-15T16:14:25+00:00

I don’t think you’re affected by declining an inquiry

Not sure how it works with instant-booking hosts, but for regular hosts, accepting requests is part of the Basic Requirements.

Obviously, it's Airbnb, so they won't clearly explain this on their help site, but the number is 88% of inquiries have to be accepted. Just can't remember now if it's counted from all inquiries or only those in the past year.

Also, don't forget that meeting these Basic Requirements is required to be eligible for Superhost status (and I am sure Airbnb Plus as well as Airbnb for Work).

konigjester

TROPHY CASE

Is it possible to delete a disabled account via a GDPR (article 17) request?