Search Results

Follow the steps below to remediate this finding on Drupal. Install and enable the Security Kit (SecKit) module:composer require drupal/seckit drush en seckitNavigate to Admin > Configuration > System > Security Kit.Under the "Content Type Sniffing" section, e...

Follow the steps below to remediate this finding on WordPress. Ensure all forms use WordPress nonces for CSRF protection.In form output:wp_nonce_field('my_action', 'my_nonce_field');In form processing:if (!isset($_POST['my_nonce_field']) || !wp_verify_nonce($_...

Follow the steps below to remediate this finding on Joomla. Joomla's Form API includes CSRF tokens automatically via JSession::checkToken().In your form template, add:<?php echo JHtml::_('form.token'); ?>In your controller, validate:JSession::checkToken() or j...

Follow the steps below to remediate this finding on Drupal. Drupal's Form API adds CSRF tokens automatically to all forms built with the Form API.Ensure all custom forms extend \Drupal\Core\Form\FormBase and use the standard buildForm/submitForm pattern.For cu...

Follow the steps below to remediate this finding on Generic / Developer guidance. Add a per-session, per-form CSRF token to every state-changing HTML form and validate it server-side.Generation example (PHP):$token = bin2hex(random_bytes(32)); $_SESSION['csrf_...

Follow the steps below to remediate this finding on Linux (Debian/Ubuntu). Update Apache to the latest available version: sudo apt update sudo apt upgrade apache2 Verify the installed version: apache2 -v Restart Apache after upgrading: s...

Follow the steps below to remediate this finding on Linux (RHEL/CentOS/AlmaLinux). Update Apache via the package manager: sudo yum update httpd # RHEL/CentOS 7 sudo dnf update httpd # RHEL/CentOS 8+ / AlmaLinux Verify the installed ve...

Follow the steps below to remediate this finding on Windows. Download the latest Apache binary from the Apache Lounge (https://www.apachelounge.com/download/) or the official Apache website.Stop the Apache service:net stop Apache2.4Back up your configuration f...

Follow the steps below to remediate this finding on Microsoft IIS webserver. Configure custom error pages so that detailed error information is never sent to clients.Open IIS Manager > select your site > Error Pages.For each HTTP error code, set the response t...

Follow the steps below to remediate this finding on Nginx webserver. In your nginx.conf or server block, add generic error page directives:error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; internal; }For PHP-FPM, ensure d...

Follow the steps below to remediate this finding on Apache webserver. In your Apache configuration or .htaccess file, configure custom error pages:ErrorDocument 500 /errors/500.html ErrorDocument 403 /errors/403.html ErrorDocument 404 /errors/404.htmlIn php.in...

Follow the steps below to remediate this finding on WordPress. In wp-config.php, disable debug output:define('WP_DEBUG', false); define('WP_DEBUG_DISPLAY', false); define('WP_DEBUG_LOG', false);If the site previously had WP_DEBUG enabled, ensure the debug.log ...

Follow the steps below to remediate this finding on Joomla. In the Joomla Administrator panel, go to System > Global Configuration > Server tab.Set Error Reporting to None.Also set Force HTTPS to Entire site if not already done.Click Save.

Follow the steps below to remediate this finding on Drupal. In the Drupal Administrator panel, go to Administration > Configuration > Development > Logging and errors.Set "Error messages to display" to None.Ensure display_errors is disabled in php.ini on the s...

Follow the steps below to remediate this finding on Generic / Developer guidance. Redirects that carry large response bodies may expose sensitive data in the Location header or response body before the browser follows the redirect.Audit all redirect responses ...

Follow the steps below to remediate this finding on WordPress. Review plugins that perform redirects (e.g., redirect managers, social login plugins) and verify they do not append sensitive query parameters to the Location URL.Add the following to your theme's ...

Follow the steps below to remediate this finding on Joomla. Review Joomla's Redirect Manager (Components > Redirect) and ensure no sensitive GET parameters are preserved in destination URLs.In custom components, always call $app->redirect($url); followed by ex...

Follow the steps below to remediate this finding on Drupal. Audit any custom redirect logic in hook_form_submit or EventSubscriber implementations.Use the Drupal redirect service:$response = new \Symfony\Component\HttpFoundation\RedirectResponse($url); $respon...

Follow the steps below to remediate this finding on Microsoft IIS webserver. Open IIS Manager and select the site or virtual directory.Double-click Directory Browsing in the Features pane.In the Actions pane on the right, click Disable.Alternatively, in web.co...

Follow the steps below to remediate this finding on Nginx webserver. Ensure the autoindex directive is disabled (it is off by default).In your server or location block, explicitly set:autoindex off;Reload Nginx:sudo systemctl reload nginx