Jump to content

Possible to add security headers?

Recommended Posts

Site URL: https://securityheaders.com/

Hi,

Square Space Support has directed me to the forum. Just wondering if anyone has been successful in adding in security headers to a square space site. If you scan with the above url you will see the missing headers. Support recommended injecting html but that is a client side solution to a server side requirement.

After looking into this one in more detail it looks like none of those techniques will work as they are client-side rather than server-side. Chrome, for example, will ignore x-frame-options when it's in a meta tag and so we would expect that a bad actor or script would do the same thing. Here is a summary of the problem with fixes:

https://security.stackexchange.com/questions/167081/how-to-add-x-frame-options-header-to-a-simple-html-file

It seems the only way to set these headers as to affect security is to apply at the server level. On apache/wordpress we just use the functions file to hook in before page load and set the headers.

Does squarespace have a way to do something similar? is there anything that you recommend we try aside form the client side links provided? Happy to help troubleshoot or explain in more detail.

 

Link to comment
  • 11 months later...

I second this. securityheaders.com rates my site "D", essentially for missing something that seems easily added in Wordpress, but is completely out of reach for Squarespace users?

Another example of what I'm calling the "Squarespace exchange" - a growing list of long term sacrifices you make in on-page optimization for seo, just to get an 'easier' build up front. I'm teetering on migrating my sites up and away...

Hi. I'm Michael. I run iPhoneIntact - Raleigh’s most experienced mobile iPhone/iPad repair service. That's enough for now.

Link to comment
  • 3 weeks later...
5 minutes ago, FarleysCarpetCleaning said:

absolutely no idea what [HSTS] does but i enabled it and I stopped getting the security warning.

HSTS (HTTP Strict Transport Security) is a web security policy technology designed to help keep web servers secure against 'downgrade' attacks. 

HSTS causes browsers to strictly enforce web security practices and can prevent attackers redirecting visitors' browsers from your site to a different, lower security site that they control. 

Improve your online store with our extensions.
About: Squarespace Circle Leader since 2017. I value honesty, transparency, appreciation and great design ♥.
Work: Squarespace Developer and founder of SF Digital, building the features Squarespace didn't include™.
Content: Links in my posts may refer to SF Digital products or may be affiliate links.

Buy me a coffee

Link to comment
  • 3 months later...
40 minutes ago, JoWorks said:

I have enabled this but the scan still gives me a Yellow warning for Strict Transport Security.

Which scan are you referring to? A screenshot of the scan results, and a link to the site, may help us to comment.

Edited by paul2009

Improve your online store with our extensions.
About: Squarespace Circle Leader since 2017. I value honesty, transparency, appreciation and great design ♥.
Work: Squarespace Developer and founder of SF Digital, building the features Squarespace didn't include™.
Content: Links in my posts may refer to SF Digital products or may be affiliate links.

Buy me a coffee

Link to comment

Please can Squarespace increase the Max-age directive to the recommended value of 2592000 (30 days) as a matter of urgency. This should be a simple fix. (pasted from securityheaders.com scan on my squarespace website, which scores a D rating!)image.thumb.png.d9498fde549b054989ed34dacdbb6ab0.png

Link to comment
1 hour ago, JoWorks said:

Please can Squarespace increase the Max-age directive [of HSTS]

They can, but it seems they are unlikely to do so because I've been asking since 2016. As I mentioned in my earlier post, this security enhancement would require ease of use to be compromised and they don't seem to be very keen to do this.

You can make a feature request by opening a support ticket with Squarespace Customer Care. They don't routinely monitor this forum for such requests.

Improve your online store with our extensions.
About: Squarespace Circle Leader since 2017. I value honesty, transparency, appreciation and great design ♥.
Work: Squarespace Developer and founder of SF Digital, building the features Squarespace didn't include™.
Content: Links in my posts may refer to SF Digital products or may be affiliate links.

Buy me a coffee

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

×
×
  • Create New...

Squarespace Webinars

Free online sessions where you’ll learn the basics and refine your Squarespace skills.

Hire a Designer

Stand out online with the help of an experienced designer or developer.