aaronzap Posted March 26, 2021 Share Posted March 26, 2021 Site URL: https://securityheaders.com/ Hi, Square Space Support has directed me to the forum. Just wondering if anyone has been successful in adding in security headers to a square space site. If you scan with the above url you will see the missing headers. Support recommended injecting html but that is a client side solution to a server side requirement. After looking into this one in more detail it looks like none of those techniques will work as they are client-side rather than server-side. Chrome, for example, will ignore x-frame-options when it's in a meta tag and so we would expect that a bad actor or script would do the same thing. Here is a summary of the problem with fixes: https://security.stackexchange.com/questions/167081/how-to-add-x-frame-options-header-to-a-simple-html-file It seems the only way to set these headers as to affect security is to apply at the server level. On apache/wordpress we just use the functions file to hook in before page load and set the headers. Does squarespace have a way to do something similar? is there anything that you recommend we try aside form the client side links provided? Happy to help troubleshoot or explain in more detail. Oystein 1 Link to comment
iPhoneIntact Posted March 21, 2022 Share Posted March 21, 2022 I second this. securityheaders.com rates my site "D", essentially for missing something that seems easily added in Wordpress, but is completely out of reach for Squarespace users? Another example of what I'm calling the "Squarespace exchange" - a growing list of long term sacrifices you make in on-page optimization for seo, just to get an 'easier' build up front. I'm teetering on migrating my sites up and away... Hi. I'm Michael. I run iPhoneIntact - Raleigh’s most experienced mobile iPhone/iPad repair service. That's enough for now. Link to comment
FarleysCarpetCleaning Posted April 7, 2022 Share Posted April 7, 2022 Settings>Advanced>SSL - enable HSTS absolutely no idea what it does but i enabled it and I stopped getting the security warning. Link to comment
paul2009 Posted April 7, 2022 Share Posted April 7, 2022 5 minutes ago, FarleysCarpetCleaning said: absolutely no idea what [HSTS] does but i enabled it and I stopped getting the security warning. HSTS (HTTP Strict Transport Security) is a web security policy technology designed to help keep web servers secure against 'downgrade' attacks. HSTS causes browsers to strictly enforce web security practices and can prevent attackers redirecting visitors' browsers from your site to a different, lower security site that they control. About: SQSP User for 17 yrs. Circle Leader since 2017. I value honesty, transparency, diversity and good design ♥. Work: Founder of SF Digital, building Squarespace Extensions to supercharge your commerce website. Content: Links in my posts may refer to SF Digital products or may be affiliate links. If my advice helped, you can thank me by clicking one of the feedback emojis below. I love coffee too. Link to comment
JoWorks Posted July 12, 2022 Share Posted July 12, 2022 I have enabled this but the scan still gives me a Yellow warning for Strict Transport Security. Does it take some time to become enabled in the system? Link to comment
paul2009 Posted July 12, 2022 Share Posted July 12, 2022 (edited) 40 minutes ago, JoWorks said: I have enabled this but the scan still gives me a Yellow warning for Strict Transport Security. Which scan are you referring to? A screenshot of the scan results, and a link to the site, may help us to comment. Edited July 12, 2022 by paul2009 About: SQSP User for 17 yrs. Circle Leader since 2017. I value honesty, transparency, diversity and good design ♥. Work: Founder of SF Digital, building Squarespace Extensions to supercharge your commerce website. Content: Links in my posts may refer to SF Digital products or may be affiliate links. If my advice helped, you can thank me by clicking one of the feedback emojis below. I love coffee too. Link to comment
JoWorks Posted July 12, 2022 Share Posted July 12, 2022 Please can Squarespace increase the Max-age directive to the recommended value of 2592000 (30 days) as a matter of urgency. This should be a simple fix. (pasted from securityheaders.com scan on my squarespace website, which scores a D rating!) Link to comment
paul2009 Posted July 12, 2022 Share Posted July 12, 2022 1 hour ago, JoWorks said: Please can Squarespace increase the Max-age directive [of HSTS] They can, but it seems they are unlikely to do so because I've been asking since 2016. As I mentioned in my earlier post, this security enhancement would require ease of use to be compromised and they don't seem to be very keen to do this. You can make a feature request by opening a support ticket with Squarespace Customer Care. They don't routinely monitor this forum for such requests. mrippstein 1 About: SQSP User for 17 yrs. Circle Leader since 2017. I value honesty, transparency, diversity and good design ♥. Work: Founder of SF Digital, building Squarespace Extensions to supercharge your commerce website. Content: Links in my posts may refer to SF Digital products or may be affiliate links. If my advice helped, you can thank me by clicking one of the feedback emojis below. I love coffee too. Link to comment
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment