PHP Security Headers

This topic is locked

PHP Security Headers	4/11/2025 11:50:06 AM
PHPRunner General questions
S salus2 author Hello, Checking a PHPRunner11 Enterprise-generated site I'm working on (www.excelwebforms.com) with https://securityheaders.com indicates the site is missing several PHP Security headers. Assuming these could potentially be important, what would be the best way to incorporate these into PHPR-generated sites? Any assistance or advice greatly appreciated.

Mark as Solved Mark as not solved

8 replies


	lefty 4/11/2025
	I have seen this in the past with many applications not just PHPrunner, It's chrome!!! Try that scan on Adobe.com or any other enterprise site you will most likely get the same responses. Here is an example of the first one Strict-Transport-Policy . in PHPrunner it may be set too long and that is why it is picked up by the scan. but If you added , to the headers I guess it will help prevent a HTTP request instead of HTTPS. <?php // Set the HSTS header header("Strict-Transport-Security: max-age=31536000; includeSubDomains; preload"); // code ----- ?>


S	salus2 author 4/11/2025
	Thanks for that. Actually I was hoping to find out if there is configuration include that PHPRunner currently uses that could be modified to incorporate additional headers as required.


	Admin 4/11/2025
	It is important to understand what is an actual security issue and what is a "nice to have" option. See the results for GoDaddy for instance. Here is the article that explains how to properly build secure web applications and test for vulnerabilities: https://xlinesoft.com/blog/2021/06/17/secure-low-code-web-applications/ If you are interested in making your application pass any of those tests, you can read more about that specific option and either make changes on the web server level or modify your web application. For instance, the following article expalins how to set Content-Security-Policy https://content-security-policy.com/examples/php/ The code can be added to AfterAppInit event.


S	salus2 author 4/11/2025
	Thanks for that info. I inserted the code into the AfterAppInit event, rebuilt, and uploaded the entire project but it doesn't look like the headers are being included. Is the code in the correct format?


	lefty 4/12/2025
	I believe the first line , should be done on the server depending on wether you are using Windows or Apache. Also I forgot to mention , be carefull with the age setting of Strict-transport-security time, as once this is set , it's permananent for most browsers and if you have any subdomains or pages that are HTTP you will run into issues, also if something like your certificate expires , access will be completely turned off. That is why a lot of sites show red in securityheaders.com , it is kind of a goctha situation. As far as setting it in PHPrunner After Application Initialized , I don't know if that would be enough. But once again be carefull. You might want to start with max-age=300 for testing.and then work your way up to a higher number. See this article about strict-transport-security https://hstspreload.org/


S	salus2 author 4/12/2025
	Actually, what I'd like ideally is to have a PHPRunner-generated site on a shared hosting service that... `- can't be incorporated into i-frames - has directories that can't be examined - has scripts that will only run if called from the same domain - automatically switches to https connections` Altering the landing page URL in the index.htm file can switch to https initially but a PHP header would be better. The Referrer policy and Permissions policy would be gravy. Again, though, after adding the headers to the AfterAppInit function (see previous screenshot) not much happens. If I can get that working I can experiment. Any guidance would be greatly appreciated.


	Admin 4/12/2025
	Salus2, did you have a chance to read the article I referenced? You should not be trusting some random metrics and need to understand how to actually see what headers are being sent i.e. using Chrome Developer Tools.


S	salus2 author 4/12/2025
	Yes, I read them very carefully, and thanks for sending them, but they do not provide specific steps to create PHPRunner websites that... `- can't be incorporated into i-frames - have directories that can't be examined - verify that scripts that will only run if called from the same domain - automatically switch to https connections` What I'm really looking for is a way to be able to assure potential clients that their PHPRunner-generated sites will be secure. When services like www.securityheaders.com indicate potential security issues it becomes difficult to provide that assurance. Actually, pretty much impossible, as I just found out the hard way. There may be alternative methods to address the 4 requests above without PHP headers, for instance generating an index.php file for subdirectories during site generation that prohits directory browsing. I'm not a programmer, and I haven't got a clue how to properly use Chrome Developer Tools and don't have the time to figure it out. That's really why I buy state-of-the-art applications that automatically generate code. Sorry if this comes out of left field, really looking for some definitive guidance, hopefully with example code and detailed instructions on how to implement.

8 replies

Mark as Solved Reply