Hello Everyone!
First off I want to complement everyone on their knowledge of the subject matter and their willingness to assist someone like myself.
I have two more questions...
I'm running elgg on WAMP 3.2.6 on a Win 10 Pro machine and my elgg version is 4.1.2 manually installed vs. the Composer install.
The first question I have has to do with the contents of the root directory. There are two composer.* files present that are exposed from the address bar, https://blah.blah.org/composer.* My first impression is that I can most likely delete these two files because I'm not using composer. Is this a fair assumption?
Next question, using, https://whynopadlock.com as a guide, how do I force the use of https only from my website?
info@elgg.org
Security issues should be reported to security@elgg.org!
©2014 the Elgg Foundation
Elgg is a registered trademark of Thematic Networks.
Cover image by RaĆ¼l Utrera is used under Creative Commons license.
Icons by Flaticon and FontAwesome.
- Nikolai Shcherbin@rivervanrain
Nikolai Shcherbin - 0 likes
- Jerome Bakker@jeabakker
Jerome Bakker - 0 likes
- Claudius@10Steve01
Claudius - 0 likes
- Claudius@10Steve01
Claudius - 0 likes
- Claudius@10Steve01
Claudius - 0 likes
- Nikolai Shcherbin@rivervanrain
Nikolai Shcherbin - 0 likes
You must log in to post replies.Please Don’t Modify Core
1, 2, 3
Elgg needs the composer.* files for it to work. So please don't remove them.
As of Elgg 4.0.5 we also added some hardening rules in the .htaccess to prevent web access to the composer.* files. See https://github.com/Elgg/Elgg/commit/0affc35052ec4e8fb0bd66ffc9f01bcba2d7c403
Maybe you could check your .htaccess file
Jerome Bakker,
Thank you so much for sharing! Something else I don't have to worry about now.
Nikoli Shcherbin,
I'm sorry, I just did realize that your, "1,2,3" were hyperlinks, I am studying your answers now. Thank you for sharing.
Nikoli Shcherbin,
I went through all of the answers on 1 and 2 that I could figure out how to implement and nothing satisfied the, "whynopadlock.com" website test. I then attempted to access my website from a remote computer using, "http" in the browser address bar and was promptly returned a 403-permission error. So I'm wondering then if maybe the, "whynopadlock.com" test return is accurate.
What is your opinion?
@Claudius Seems, you should configure Content-Security-Policy rules.
Please learn how to do it on Apache:
https://stackoverflow.com/questions/62105213/setting-content-security-policy-in-apache-web-server
https://blog.sucuri.net/2021/10/how-to-set-up-a-content-security-policy-csp-in-3-steps.html