Sanguine I really don't know...

My thoughts are as follow: the forum is correctly configured if a visitor can't see any security error at any point.

A fourth-level www domain not resolving is not a concrete error and the browser simply will tell the visitor the address is incorrect. No harm done.

However if the domain does resolve it becomes something the user might type and should not show a security warning.

If the domain uses HSTS with includeSubdomains and/or preload and types a fourth-level www subdomain it will automatically load the HTTPS version of that page and cause security warnings, so redirect when http is not enough.

What about not answering on port 443 for that subdomain ? That would trigger a proper not found message in the browser and that's something I could say is acceptable in my rating. But if it's the same IP answering all urls you have to wait for the Server Name Indication and this will probably be too late to make it look like port 443 is closed.

Damn that's not easy...

clarkwinkelmann If the domain uses HSTS with includeSubdomains and/or preload and types a fourth-level www subdomain it will automatically load the HTTPS version of that page and cause security warnings, so redirect when http is not enough.

But FF does not (anymore ?) uses HSTS w/ IncludeSubdomains, so in that case, a normal http > https(canonical) redirect would be ok, right?

clarkwinkelmann correctly configured if a visitor can't see any security error at any point

One could say this is a subjective norm, as there are always things that could trigger an error. Eg. (for sites that correctly implement the DNS RFC) localhost.domain.tld or smtp.domain.tld. But, no sane person types in mail.flarum.org (gives 404). So you limit the set of arbitrary prefixes to the one commonly used: "www". But I'd argue that it is also common practice to not use the www prefix in case of a subdomain. Potato, potatoe ?

I get this report after running the test on my own Flarum site haha. Now I doubt if I were installing a genuine Flarum install. ?

Extensions

Could not detect any loaded module/extension. Is this really a Flarum install ?

p.s. I get this report too BlackSheep but not really understand what's going wrong..

Btw, thanks @clarkwinkelmann for making this awesome tool ?

XavierLoo you could have given me a link to the report or the website url as it's not showing up in the homepage of the lab ? (if there's an error it's not shown on the homepage) I guess you're talking about http://ct.pharosic.com/ ?

you've got some strange cryptographic-based javascript redirect response that's interfering with my crawler. My script sees the redirect script (http://ct.pharosic.com/) instead of your Flarum (http://ct.pharosic.com/?i=1).

The crawler only follows HTTP redirects, not javascript-based ones. And currently I don't accept forum homepage urls that use query strings (they are removed) so there's no way to scan your website in its current form ?

clarkwinkelmann yup, that's my forum. Actually I don't know why there is a redirect script.. I might need to consult my server service provider (currently using free hosting)

Updated:

Answer from the service provider

I understand these suffixes (http://yourwebsite.com/?=1) look ugly, however, they are a necessary part of our system to protect websites against malicious bots. These suffixes are completely harmless though, they won't prevent legitimate visitors and search engine spiders from accessing your website.

I think that's what blocking your crawler's way ?

I found this site in showcase its pretty impressive, https://halfminer.de, but im not able to lookup the extensions being used (Could not detect any loaded module/extension. Is this really a Flarum install ?), how can i do so? and also how is he hiding those

PranavJadhav that's because https://halfminer.de/ isn't a Flarum page. https://halfminer.de/forum/ is.

That second url scans just fine ? https://lab.migratetoflarum.com/scans/11dca935-8cb5-48f9-a908-f41cf5ec643a

@clarkwinkelmann
May you please help me understand what I need to do in order to get the far opposite result of:

Multiple urls
This Flarum is accepting connections via multiple urls which will result in an invalid config.url value being used for some of them. This will also impact your search engine ranking by creating duplicate content. Setup redirects so only the url defined in your config.php (https://keys-daggers.org) can be used to access the forum to fix it.

Vendor folder
Your vendor folder is currently being served by your webserver. This could expose untrusted scripts to the world and compromise your security. Use a rewrite rule to prevent your webserver from serving this folder.

I am mostly concerned about the Vendor folder.

I could not find a post that included the proper permissions for the flarum folders with regards to what shouldn't be publicly available. The posts I found were mostly for users that had issues with permissions trying to install.

Any reply would be greatly appreciated, and thank you for providing this most excellent service. ?tips.

0E800 to protect your vendor folder you'll have to properly set up your nginx configuration (assuming nginx because the default .htaccess already covers this). You'll have to do something for Nginx like we did in apache:

https://github.com/flarum/flarum/blob/v0.1.0-beta.7/.htaccess#L26

In fact the nginx config in the docs also cover the vendor protection:

location ~* ^/(composer\.(json|lock)|config\.php|flarum|storage|vendor) {
        deny all;
        return 404;
    }

@luceos

Thank you for the pro-tip.

I had installed my instance using @webeindustry 's install script:
https://github.com/webeindustry/flarumvpsinstallscript/blob/master/script

Which used:

    location /flarum {
        deny all;
        return 404;
    }

I replaced that with your recommendation :

location ~* ^/(composer\.(json|lock)|config\.php|flarum|storage|vendor) {
        deny all;
        return 404;
    }

Now I am good to go.

Thank you sir.

Lots of false positives. Said my vendor and storage folders were accessible but they're not. Tried it myself. I have the following in my htaccess file:

  RewriteRule ^vendor/(.*)?$ / [F,L]
  RewriteRule ^storage/(.*)?$ / [F,L]
  RewriteRule ^config.php$ / [F,L]
  RewriteRule /\.git / [F,L]
  RewriteRule ^composer\.(lock|json)$ / [F,L]

robetus what's your website ? You can send it to me via Discord PM if you don't want to list your url publicly.

The folders are considered "exposed" if the status code returned by some well-known files in these folders is 200. The apache rewrite rule F should return a 403 status code and my scanner should be fine with it.

Ratings just got better (and more fair).

Now the reason behind the rating are written beside it. And I'm no longer punishing domains with errors on their www subdomain if it's not a first-level domain (@Sanguine this will make you happy I guess)

Also the "+" is now only granted if you have a HSTS of 6 months or more.

And I introduced a "-" (minus) that is currently only given if your forum is in debug mode (to my knowledge having debug mode on in Flarum usually doesn't expose any sensitive data or setting, if it were the case I'd cap the rating to D like the other security issues)

Happy scanning !

Hurray! Thanks for listening to the crowd. You would make a great politician (perhaps you are one?).

Minor nitpick: apparently you can score A+ whilst lacking a CSP header altogether? https://lab.migratetoflarum.com/scans/40cd240b-5b9b-4d98-9236-26b0a649fdd8

Sanguine apparently you can score A+ whilst lacking a CSP header altogether

CSP being so complicated with Flarum right now I'm not taking it into account for the score.

Because having CSP with eval, inline-scripts and inline-style really is like having no CSP at all ?

Re the multi url issue: perhaps Flarum itself should detect a non-canonical url and perform a 301 redirect? I know magento does this by default (albeit with a config flag).

@clarkwinkelmann

May you please offer me some advise regarding what I can do about my score.

https://lab.migratetoflarum.com/scans/5fbde959-723f-420f-8f8e-c6a13cbc4b46

Your forum is answering to multiple urls. Set redirects to a single canonical url. Assets won't load correctly on the non-canonical domains

I'm not sure what I am supposed to do to resolve it.

Thank you again for this quality tool.

0E800 you should force redirect https://www.keys-daggers to https://keys-daggers, like you already do for the none-https versions

@clarkwinkelmann

I've got a B because "Is using non-permanent redirects". You suggest "Consider using a 301 permanent redirect instead (the browsers and search engines will cache it)".

But my .htaccess file already looks like that:

RewriteCond %{HTTP_HOST} ^www\.my-domain\.com [NC]
RewriteRule ^(.*)$ https://my-domain.com/$1 [R=301,L]

RewriteCond %{HTTPS} off [OR]
RewriteCond %{ENV:HTTPS} off
RewriteCond %{HTTP_HOST} ^my-domain\.com [NC]
RewriteRule ^(.*)$ https://my-domain.com/$1 [R=301,L]

Shouldn't that do exactly what you suggest?

Pollux these rules look fine... Yet the redirect is still 302 ?

I don't think the issue is on my side as you can check the network tab of your browser and see the redirect is 302...

Maybe you've got a proxy/cdn or other service that's doing a redirect before your own rules are run ? Maybe try removing or altering your rules to see if it has an effect.

If you want me to investigate deeper you'll have to tell me which url you're having issues with (You can contact me via email or Discord if you want to keep it private). I guess it's the .de website scanned a few hours ago.

PS: just fixed an issue that broke the whole report if your website returns errors when my bot tries to access the composer files. The fix has the side effect or not displaying malicious access on old reports anymore. But it will be back on every new scan. Even if you don't report the errors to me I still browse through hidden reports to see if you ran into issues and fix them for everybody else ?