#36181 – Joomla 4 HTTP Header Plugin

Posted in ‘Akeeba Admin Tools for Joomla!’
This is a public ticket. Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.
Wednesday, 17 November 2021 06:07 CST
wynchcote

After migrating my website from Joomla 3.10.3 to Joomla 4.0.4 I see the following Post Installation Message.

---

HTTP Security Headers

Since version 4.0.0

Joomla! comes with a built-in set of tools that help you to handle http security headers. These headers help your browser for example to protect your website from XSS and Clickjacking attacks.

You can find more details in the HTTP Header Management Tutorial in the Joomla! Documentation.

LINK: Enable Default Security Headers.

---

The LINK activates the System - HTTP Headers Plugin.

This enables adding security headers as well as SSL Redirect as well as HSTS.

I am using Admin Tools + Htaccessmaker.

MyJoomla audit shows that all security headers, SSL Redirect and HSTS are OK without enabling the above plugin.

QUESTION

Should website users, who use Admin Tools Htaccessmaker + confirm all security headers are OK using MyJoomla, ignore this new plugin?

Rather than configure and publish it (duplication?).

Thanks you for your support.

Ken :)

Β 

Custom Fields

Joomla! version (in x.y.z format) 4.0.4
PHP version (in x.y.z format) 7.4
Admin Tools version (x.y.z format) 9.0.8
Β 
Wednesday, 17 November 2021 08:15 CST
nicholas

Correct. Since you are already using .htaccess Maker which sets up these headers you must not use Joomla's plugin.

Using the .htaccess method is better because the headers are sent more consistently for all requests, not just the HTML document requests Joomla itself handles.



Nicholas K. Dionysopoulos

Lead Developer and Director



πŸ‡¬πŸ‡·Greek: native

πŸ‡¬πŸ‡§English: excellent

πŸ‡«πŸ‡·French: basic



Please keep in mind my timezone and cultural differences when reading my replies. Thank you!



Wednesday, 17 November 2021 09:04 CST
wynchcote

Hi Nicholas,

Glad I asked!

Could this be flagged in the Release Notes which accompany the next release?

Is it flagged in the User Guide?

Nothing came up when I searched before submitting my ticket.

Thanks for the as ever quick reply!

Ken :)

Β 
Thursday, 18 November 2021 03:34 CST
nicholas

We do not and will not include in our documentation.

There are some valid use cases where you might want to use Joomla's plugin to define more technical, very advanced headers like Content Security Policy. Here's the problem. I can't explain why not to use it without EITHER dumbing down the explanation to the point that the more technical users will protest that my explanation is factually incorrect OR making technical enough to be factually correct but impossible for the non–technical audience to understand.

The best policy is, therefore, to say nothing. At worst someone will enable Joomla's plugin and their administrator interface will break (mostly filters and 3PD extensions using inline scripts in HTML attributes, a standard Joomla practice mind you). Our standard troubleshooting has you remove everything .htaccess Maker did which would very quickly demonstrate to an affected user that the problem does not lie with our software. If they ask us we will point out it's probably due to Joomla's plugin and link to Joomla's documentation and forum.

Beyond that, the most important think I did was something you don't know about: I told the Joomla core maintainers nearly two years ago that this plugin MUST NOT be enabled by default because most users are not technical enough to understand the implications. Otherwise Joomla would have shipped with a plugin which breaks most 3PD and core components by default. It wouldn't really affect our extensions β€” and we know how to work around it, it's not that hard β€” but it would have made Joomla very unusable for many people and confuse many 3PDs. That'd be suicidal for a new a major version. At least they conceded on that point. I disagree with having a message telling users to enable the plugin but I think it's still a better solution than the broken by default alternative.



Nicholas K. Dionysopoulos

Lead Developer and Director



πŸ‡¬πŸ‡·Greek: native

πŸ‡¬πŸ‡§English: excellent

πŸ‡«πŸ‡·French: basic



Please keep in mind my timezone and cultural differences when reading my replies. Thank you!



This ticket is closed, therefore read-only. You can no longer reply to it. If you need to provide more information, please open a new ticket and mention this ticket's number.

Support Information

Working hours: Typically we work Monday to Friday, 9am to 7pm Cyprus timezone (EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets, but we cannot respond to them, outside of our working hours.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!