Need help with PCI compliance
I am currently using V1.5.5
and I am trying to pass PCI compliance and am currently failing on 6 points
Any help with this or any idea
Title
Web Application Potentially Vulnerable to Clickjacking
Synopsis:
The remote web server may fail to mitigate a class of web application vulnerabilities.
It seems to be all of my categories and links on my site
thanks for any help, or if anyone knows of any resources to help fix these
Re: Need help with PCI compliance
Anti-clickjacking support is already built-in to the default html_header.php file since v1.5.5
See https://github.com/zencart/zencart/b...er.php#L16-L17
Re: Need help with PCI compliance
Hi thank you for the quick reply .. I've checked there and nothing was showing..
Although I have now added the greyed bit to my header ...Is that all that needs adding
// Prevent clickjacking risks by setting X-Frame-Options:SAMEORIGIN
header('X-Frame-Options:SAMEORIGIN');
thanks again
Re: Need help with PCI compliance
That's usually worked for me whenever I've tested it.
In rare cases a weird block of javascript can be added, but that's usually considered overkill nowadays IMO
Re: Need help with PCI compliance
Hi ..1 has now gone but still have 2 left.All I can think of is someone has removed them or they have been deleted somehow
I checked my on my new zencart against this 1 and you are right :) the code was there ,just strange why it has been removed
2 of the others resolution says this
Resolution:
Return the X-Frame-Options or Content-Security-Policy (with the 'frame-ancestors' directive) HTTP header with the page's response. This prevents the page's content from being rendered by another site when using the frame or iframe HTML tags.
and the other
Resolution:
Return the X-Frame-Options or Content-Security-Policy (with the 'frame-ancestors' directive) HTTP header with the page's response. This prevents the page's content from being rendered by another site when using the frame or iframe HTML tags.
oops they both the same , wonder if it could be from other templates , will try
Re: Need help with PCI compliance
While searching for answers to my issues I found this piece of code in a opencart forum and thought I'd try it
It worked and has now got me down to 4 issues
placed in .htaccess file
Code:
<IfModule mod_headers.c>
# Set XSS Protection header
Header set X-XSS-Protection "1; mode=block"
</IfModule>
Re: Need help with PCI compliance
Seem to have come across yet another stumbling block
My hosting can't sort out "Web Server Generic XSS" as I am on a shared drive :no: and I assume there is no work around for this except find another hosting that can
Re: Need help with PCI compliance
Really it does seem to me that all these issues are with your hosting server, and not with your Zen Cart.
Re: Need help with PCI compliance
Yeah You are right ...They want to put me onto a VDS server ??? £249 a month ??
What requirements should I look for to get PCI compliance would a dedicated IP do
Re: Need help with PCI compliance
£249 a month? Is that a typo, did you accidentally press the "2" key? I'm not sure where you're hosted, but I dare say it's overpriced. One of my clients was recently going through PCI compliance and the host (EUK) was incredibly helpful and have done all the server tweaks they were asked to do. IMO, they went over and beyond what most hosts would do - at no extra cost. All for a cloud package with cPanel priced at around £80/month. I'm not trying to advertise EUK and am in no way affiliated with them, this is just my personal opinion based on my very recent experience with them...
So, if your host can't resolve something or is trying to sell you a really expensive package to fix it, you should consider moving away and finding a new host who's willing to help.
At the same time - if you're on some shared hosting account for £5-£10 per month, you should be realistic and understand that you can't expect much from that...
As for dedicated IP - AFAIK, it's not a requirement for PCI compliance. SSL certificate is required, but you can install a cert on some control panels even without a dedicated IP.