clarkwinkelmann Thanks, I've sent an email to clark*ann@gmail.com
MigrateToFlarum Lab, the health scanner for Flarum
- Edited
I just rechecked it again:
Opted out - this website will never appear in public results or in the showcase
However, it is still possible to be scanned for forum details.
Thanks. Yes everything seems to be fine now. It says opted out and previous scans have properly been hidden from homepage.
It's possible there was a temporary client-side caching issue if you didn't refresh the page with F5 or by closing+opening again after making the opt out verification.
giter However, it is still possible to be scanned for forum details.
Yes, and I'm not planning to change that. The lab is open-source, anyone can run the code from their own servers anyway. If you're trying to conceal the list of extension, you can hide the javascript admin files from non admins, there's no extension for that but this can be achieved via webserver rules. For extensions that are visible in the frontend part, you'd need to obfuscate both the javascript and the JSON boot payload of Flarum. If you're trying to conceal other information, you should make it invisible to guests on the forum itself.
Thank you,
clarkwinkelmann hide the javascript admin files from non admins
How do I go about achieving this and can you give me a little detail?
I found that some forums were not only not scanned by "https://lab.migratetoflarum.com/", but also not able to find the extension details from Chrome's Source, however, my forum was easily found in Source with which extensions are installed
- Edited
giter you could protect the admin files using a password at the webserver level. That would be the easiest, but not very convenient for administrators. Or protect by IP range if you know you will always access the admin from a fixed IP.
Some big companies using Flarum must have developed their own "locked down" version of Flarum that automatically prevents accessing files the current user doesn't need, but I have no insights into that. I just know their admin files are not visible in the Lab.
Some forums use further javascript minification (some intentionally, some it's their host/proxy doing it automatically) which limits what the Lab can do with the data. But everything's still there for someone who wants to put in the effort.
Minifying the javascript for the purpose of hiding which features are available isn't very effective since the list of extension IDs are present in the Flarum JSON boot payload anyway.
Can I ask what you're trying to make invisible on the forum? Many things can be seen straight away from the development tools as you say, and most of the things could be "guessed" by a skilled person anyway.
If your forum is fully private, and only accessible to invited users, I can understand you might want to hide the full extension bundle for guests. This could probably be achieved using a Flarum extension, where guests would see a "light" version of Flarum with just core features to allow login, and where the full bundle is downloaded for logged in users only. The extension would need to make the name of the javascript file either unguessable, or actually implement some access control on that route instead of leaving nginx/apache serve the file.
10 days later
One feature suggestion: it'd be cool if the scanner could check for proper caching headers / gzip compression that should originate from the web server (and to show gzip bundle size).
Omg i have a D on flarum.it
- Edited
Justoverclock it's mostly due to improper server configuration 
I can also access your composer.json which you shouldn't allow public access to.
- Edited
Darkle composer.json can only be exposed if you don't use the included public folder. Our official documentation shows which lines need to be uncommented to enable additional rules for those https://docs.flarum.org/install.html#customizing-paths
clarkwinkelmann Of course! I hadn't thought about it, it's too obvious that I'm like a zombie when installing... 
- Edited
@clarkwinkelmann my htaccess is uncommented, why I have this issues?
Justoverclock if you are using Apache, check that htaccess files and mod rewrite are enabled.
If you are using Nginx, there are commented lines in the included nginx config. If you're using a different webserver, you need to write your own blacklist.
clarkwinkelmann i have sitegroud (supposed to be Apache as web server and Nginx as reverse proxy). i have uncommended line on nginx config and uncommented line on htaccess....
Justoverclock I'd suggest trying to contact your hosting support, this is something they should be able to figure out easily.
All my tool can do is tell what it can access when it shouldn't
- Edited
clarkwinkelmann i'm with support right now....
anyway i have this:
https://www.siteground.com/blog/nginx-direct-delivery/
edit: they told me that mod rewrite is enabled....
thats my htaccess:
<IfModule mod_rewrite.c>
RewriteEngine on
# Ensure the Authorization HTTP header is available to PHP
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
# Uncomment the following lines if you are not using a `public` directory
# to prevent sensitive resources from being exposed.
RewriteRule /\.git / [F,L]
RewriteRule ^auth\.json$ / [F,L]
RewriteRule ^composer\.(lock|json)$ / [F,L]
RewriteRule ^config.php$ / [F,L]
RewriteRule ^flarum$ / [F,L]
RewriteRule ^storage/(.*)?$ / [F,L]
RewriteRule ^vendor/(.*)?$ / [F,L]
# Pass requests that don't refer directly to files in the filesystem to index.php
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^ index.php [QSA,L]
</IfModule>
# Disable directory listings
Options -Indexes
# MultiViews can mess up our rewriting scheme
Options -MultiViews
# The following directives are based on best practices from H5BP Apache Server Configs
# https://github.com/h5bp/server-configs-apache
# Expire rules for static content
<IfModule mod_expires.c>
ExpiresActive on
ExpiresDefault "access plus 1 month"
ExpiresByType text/css "access plus 1 year"
ExpiresByType application/atom+xml "access plus 1 hour"
ExpiresByType application/rdf+xml "access plus 1 hour"
ExpiresByType application/rss+xml "access plus 1 hour"
ExpiresByType application/json "access plus 0 seconds"
ExpiresByType application/ld+json "access plus 0 seconds"
ExpiresByType application/schema+json "access plus 0 seconds"
ExpiresByType application/vnd.geo+json "access plus 0 seconds"
ExpiresByType application/vnd.api+json "access plus 0 seconds"
ExpiresByType application/xml "access plus 0 seconds"
ExpiresByType text/calendar "access plus 0 seconds"
ExpiresByType text/xml "access plus 0 seconds"
ExpiresByType image/vnd.microsoft.icon "access plus 1 week"
ExpiresByType image/x-icon "access plus 1 week"
ExpiresByType text/html "access plus 0 seconds"
ExpiresByType application/javascript "access plus 1 year"
ExpiresByType application/x-javascript "access plus 1 year"
ExpiresByType text/javascript "access plus 1 year"
ExpiresByType application/manifest+json "access plus 1 week"
ExpiresByType application/x-web-app-manifest+json "access plus 0 seconds"
ExpiresByType text/cache-manifest "access plus 0 seconds"
ExpiresByType text/markdown "access plus 0 seconds"
ExpiresByType audio/ogg "access plus 1 month"
ExpiresByType image/bmp "access plus 1 month"
ExpiresByType image/gif "access plus 1 month"
ExpiresByType image/jpeg "access plus 1 month"
ExpiresByType image/png "access plus 1 month"
ExpiresByType image/svg+xml "access plus 1 month"
ExpiresByType image/webp "access plus 1 month"
ExpiresByType video/mp4 "access plus 1 month"
ExpiresByType video/ogg "access plus 1 month"
ExpiresByType video/webm "access plus 1 month"
ExpiresByType application/wasm "access plus 1 year"
ExpiresByType font/collection "access plus 1 month"
ExpiresByType application/vnd.ms-fontobject "access plus 1 month"
ExpiresByType font/eot "access plus 1 month"
ExpiresByType font/opentype "access plus 1 month"
ExpiresByType font/otf "access plus 1 month"
ExpiresByType application/x-font-ttf "access plus 1 month"
ExpiresByType font/ttf "access plus 1 month"
ExpiresByType application/font-woff "access plus 1 month"
ExpiresByType application/x-font-woff "access plus 1 month"
ExpiresByType font/woff "access plus 1 month"
ExpiresByType application/font-woff2 "access plus 1 month"
ExpiresByType font/woff2 "access plus 1 month"
ExpiresByType text/x-cross-domain-policy "access plus 1 week"
</IfModule>
# Gzip compression
<IfModule mod_deflate.c>
<IfModule mod_filter.c>
AddOutputFilterByType DEFLATE "application/atom+xml" \
"application/javascript" \
"application/json" \
"application/ld+json" \
"application/manifest+json" \
"application/rdf+xml" \
"application/rss+xml" \
"application/schema+json" \
"application/vnd.geo+json" \
"application/vnd.ms-fontobject" \
"application/wasm" \
"application/x-font-ttf" \
"application/x-javascript" \
"application/x-web-app-manifest+json" \
"application/xhtml+xml" \
"application/xml" \
"font/collection" \
"font/eot" \
"font/opentype" \
"font/otf" \
"font/ttf" \
"image/bmp" \
"image/svg+xml" \
"image/vnd.microsoft.icon" \
"image/x-icon" \
"text/cache-manifest" \
"text/calendar" \
"text/css" \
"text/html" \
"text/javascript" \
"text/plain" \
"text/markdown" \
"text/vcard" \
"text/vnd.rim.location.xloc" \
"text/vtt" \
"text/x-component" \
"text/x-cross-domain-policy" \
"text/xml"
</IfModule>
</IfModule>
# Fix for https://httpoxy.org vulnerability
<IfModule mod_headers.c>
RequestHeader unset Proxy
</IfModule>Justoverclock my unscientific method to troubleshooting htaccess files is to just write garbage in the <IfModule mod_rewrite.c> block. If the website returns a 500 error, it means the htaccess and rewrite mod are working. If the website doesn't crash, it means Apache is ignoring the file.
- Edited
we are into it with @[deleted] (precious help for me)
[deleted]
Justoverclock I've worked out why the rewrites aren't working. Siteground listens with NGINX, then passes back to Apache for processing. It most cases, the nginx.conf and .htaccess should do all of the work, but they are being IGNORED ! I have proven this by renaming both files, and the site still functioned even after clearing the cache 
As a workaround, I have had to configure URL security which seems to work. The grade is now capped at C, but by the time I'm done, it should be at least A