Search Results

Follow the steps below to remediate this finding on Generic / Developer guidance. DOM-based XSS occurs when JavaScript reads untrusted data (URL fragments, query strings, localStorage) and writes it to the DOM without sanitisation.Remediation steps:Never pass ...

Follow the steps below to remediate this finding on WordPress. Audit custom JavaScript files in your theme and plugins for unsafe DOM writes.Use wp_localize_script() to safely pass server-side data to scripts instead of embedding raw data in HTML.Escape values...

Follow the steps below to remediate this finding on Joomla. Review template JavaScript files and Joomla component JS for unsafe DOM manipulation.Use JUri to construct URLs safely server-side rather than building them from raw user input in JavaScript.Sanitise ...

Follow the steps below to remediate this finding on Drupal. Audit custom module JavaScript files for unsafe DOM writes.Use Drupal.behaviors to attach JS safely.Pass server-side data to JavaScript via drupalSettings (set in PHP with #attached['drupalSettings'])...

Follow the steps below to remediate this finding on Generic / Developer guidance. Reflected XSS occurs when user-supplied input is echoed back in the HTTP response without proper encoding.Remediation steps:Validate all input against an allowlist of expected ch...

Follow the steps below to remediate this finding on WordPress. Use WordPress escaping functions before outputting any dynamic data:esc_html() — for HTML contentesc_attr() — for HTML attributesesc_url() — for URLsesc_js() — for inline JavaScriptwp_kses() / wp_k...

Follow the steps below to remediate this finding on Joomla. Use Joomla's JFilterInput or InputFilter to sanitise input:$input = JFactory::getApplication()->input; $value = $input->get('param', '', 'STRING');For output, use JText::_() for translated strings and...

Follow the steps below to remediate this finding on Drupal. Use Drupal's input sanitisation and output escaping functions:\Drupal\Component\Utility\Html::escape($string) — HTML context\Drupal\Component\Utility\UrlHelper::filterQueryParameters() — URL contextUs...

Follow the steps below to remediate this finding on Microsoft IIS webserver. Open IIS Manager.Select your website.Double-click HTTP Response Headers.Click Add in the Actions pane and enter:NAME: Strict-Transport-SecurityVALUE: max-age=31536000; includeSubDomai...

Follow the steps below to remediate this finding on Nginx webserver. In your nginx.conf server block (HTTPS only), add:add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;Reload Nginx:sudo systemctl reload nginx

Follow the steps below to remediate this finding on Apache webserver. Ensure mod_headers is enabled:sudo a2enmod headersAdd to your HTTPS VirtualHost or apache2.conf:Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"Relo...

Follow the steps below to remediate this finding on Plesk. Log in to the Plesk control panel.Navigate to Domains > your domain > Apache & nginx Settings.Under "Additional nginx directives", add:add_header Strict-Transport-Security "max-age=31536000; includeSub...

Follow the steps below to remediate this finding on WordPress. Add the following to your theme's functions.php:add_action('send_headers', function() { header('Strict-Transport-Security: max-age=31536000; includeSubDomains; preload'); });Alternatively, if using...

Follow the steps below to remediate this finding on Joomla. Edit the .htaccess file in the Joomla root directory and add:<IfModule mod_headers.c> Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" </IfModule>Alternativel...

Follow the steps below to remediate this finding on Drupal. Install and enable the Security Kit (SecKit) module:composer require drupal/seckit drush en seckitNavigate to Admin > Configuration > System > Security Kit.Under the "HTTP Strict Transport Security" s...

Follow the steps below to remediate this finding on Apache webserver. Prevent direct access to .htaccess files by adding the following to your main Apache configuration (apache2.conf or httpd.conf):<Files ".ht*"> Require all denied </Files>This blocks access t...

Follow the steps below to remediate this finding on Nginx webserver. Nginx does not use .htaccess files. If .htaccess files exist on the server, deny access in your server block:location ~ /\.ht {deny all;}Reload Nginx:sudo systemctl reload nginx

Follow the steps below to remediate this finding on Plesk. Log in to the Plesk control panel.Navigate to Domains > your domain > Apache & nginx Settings.Under "Additional Apache directives", add:<Files ".ht*"> Require all denied </Files>Click Apply.

Follow the steps below to remediate this finding on Linux (Debian/Ubuntu). Block ICMP timestamp requests using iptables or nftables.With iptables:sudo iptables -A INPUT -p icmp --icmp-type timestamp-request -j DROP sudo iptables -A OUTPUT -p icmp --icmp-type t...

Follow the steps below to remediate this finding on Linux (RHEL/CentOS/AlmaLinux). Block ICMP timestamp requests using firewalld or iptables.With firewalld:sudo firewall-cmd --permanent --add-rich-rule='rule protocol value="icmp" icmp-type name="timestamp-requ...