Recently, I've been working on a website hosted on GoDaddy.
I checked the website's security headers using Security Headers by Snyk - https://securityheaders.com/ - to analyse the HTTP response headers of the website. Security Headers have a grading system for results.
Ouch, Grade F. No security headers implemented by default on GoDaddy-hosted websites.
Okay, that's an easy fix. Just add the following security headers at the beginning of the .htaccess file:
# Add X-Content-Type-Options header
Header set X-Content-Type-Options "nosniff"
# Protect against "ClickJacking" attacks
Header always set X-Frame-Options "SAMEORIGIN"
# Add a Referrer-Policy
Header set Referrer-Policy "no-referrer-when-downgrade"
# Add a Strict-Transport-Security header
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains;"
# Add a Permissions-Policy header
Header set Permissions-Policy "geolocation=(self), microphone=(self), camera=(self), fullscreen=*, accelerometer=(self), autoplay=(self)"
I use WinSCP to search for an .htaccess file. I couldn't find one. No problem, I'll create one with those security headers in it.
Upload the .htaccess file and test again. Same result. Bugger!
Further investigation reveals GoDaddy doesn't like the .htaccess file, even though it works elsewhere.
Parse errors for /?????????/.htaccess:
- unsupported directive Header set X-Content-Type-Options nosniff
- unsupported directive Header always set X-Frame-Options SAMEORIGIN
- unsupported directive Header set Referrer-Policy no-referrer-when-downgrade
- unsupported directive Header always set Strict-Transport-Security max-age=31536000; includeSubDomains;
- unsupported directive Header set Permissions-Policy geolocation=(self), microphone=(self), camera=(self), fullscreen=*, accelerometer=(self), autoplay=(self)
So far, I've been unable to get GoDaddy's support team to help me resolve this issue and implement the security headers.
Perhaps GoDaddy doesn't prioritise the security provided by websites hosted on their platforms.
Or GoDaddy may have some other way of implementing security headers, but doesn't want to tell me what it is.