Need help with PCI compliance

[Andy-C27]

I am currently using V1.5.5
and I am trying to pass PCI compliance and am currently failing on 6 points
Any help with this or any idea

Title
Web Application Potentially Vulnerable to Clickjacking

Synopsis:
The remote web server may fail to mitigate a class of web application vulnerabilities.

It seems to be all of my categories and links on my site

thanks for any help, or if anyone knows of any resources to help fix these

[DrByte]

Anti-clickjacking support is already built-in to the default html_header.php file since v1.5.5
See https://github.com/zencart/zencart/b...er.php#L16-L17

[Andy-C27]

Hi thank you for the quick reply .. I've checked there and nothing was showing..
Although I have now added the greyed bit to my header ...Is that all that needs adding

// Prevent clickjacking risks by setting X-Frame-Options:SAMEORIGIN
header('X-Frame-Options:SAMEORIGIN');

thanks again

[DrByte]

That's usually worked for me whenever I've tested it.

In rare cases a weird block of javascript can be added, but that's usually considered overkill nowadays IMO

[Andy-C27]

Hi ..1 has now gone but still have 2 left.All I can think of is someone has removed them or they have been deleted somehow
I checked my on my new zencart against this 1 and you are right :) the code was there ,just strange why it has been removed
2 of the others resolution says this

Resolution:
Return the X-Frame-Options or Content-Security-Policy (with the 'frame-ancestors' directive) HTTP header with the page's response. This prevents the page's content from being rendered by another site when using the frame or iframe HTML tags.

and the other

Resolution:
Return the X-Frame-Options or Content-Security-Policy (with the 'frame-ancestors' directive) HTTP header with the page's response. This prevents the page's content from being rendered by another site when using the frame or iframe HTML tags.

oops they both the same , wonder if it could be from other templates , will try

[Andy-C27]

While searching for answers to my issues I found this piece of code in a opencart forum and thought I'd try it
It worked and has now got me down to 4 issues

placed in .htaccess file

Code:

<IfModule mod_headers.c>
# Set XSS Protection header
Header set X-XSS-Protection "1; mode=block"
</IfModule>

[Andy-C27]

Seem to have come across yet another stumbling block
My hosting can't sort out "Web Server Generic XSS" as I am on a shared drive and I assume there is no work around for this except find another hosting that can

[DrByte]

Really it does seem to me that all these issues are with your hosting server, and not with your Zen Cart.

[Andy-C27]

Yeah You are right ...They want to put me onto a VDS server ??? £249 a month ??
What requirements should I look for to get PCI compliance would a dedicated IP do

[balihr]

£249 a month? Is that a typo, did you accidentally press the "2" key? I'm not sure where you're hosted, but I dare say it's overpriced. One of my clients was recently going through PCI compliance and the host (EUK) was incredibly helpful and have done all the server tweaks they were asked to do. IMO, they went over and beyond what most hosts would do - at no extra cost. All for a cloud package with cPanel priced at around £80/month. I'm not trying to advertise EUK and am in no way affiliated with them, this is just my personal opinion based on my very recent experience with them...
So, if your host can't resolve something or is trying to sell you a really expensive package to fix it, you should consider moving away and finding a new host who's willing to help.
At the same time - if you're on some shared hosting account for £5-£10 per month, you should be realistic and understand that you can't expect much from that...

As for dedicated IP - AFAIK, it's not a requirement for PCI compliance. SSL certificate is required, but you can install a cert on some control panels even without a dedicated IP.