Better security mode (HTTPS and other features)

Force HTTPS

• You can turn the Force HTTPS -> ON in your Settings -> Security.
• WonderCMS automatically checks for SSL. Turning this functionality "ON" will force WoderCMS to always use HTTPS.

Additional better security mode (HTTPS and other features)

Note: since we no longer support overwriting ".htaccess" through WonderCMS (since it can break you website), users can manually overwrite their ".htaccess" with the following config, which is available below the warnings below.

Better security mode works on Apache servers / hosting packages. There are some external instructions for tuning your NGINX at the bottom of this page).

Important: read before manually overwriting your ".htaccess" file

• Create a backup of your website (Settings -> Security) before making any changes.
• The HTTPS redirect feature works best if WonderCMS is installed at the root of your website (not in a subfolder).
• Contact your host and make sure your website supports the included HTTPS://www redirect or activating this MAY BREAK YOUR WEBSITE. Also check you have a valid HTTPS certificate.
• It may take some time for changes take effect.

If anything goes wrong and you cannot access your website normally over overwriting your ".htaccess" file: open the "htaccess" file on your server and replace all content with the default ".htaccess": https://github.com/WonderCMS/wondercms/blob/main/.htaccess

Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
Header set Cache-Control "max-age=2628000, public"

Options -Indexes
ServerSignature Off
RewriteEngine on

RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.+)$ index.php?page=$1 [QSA,L]
RewriteRule database.js - [F]
RewriteRule cache.json - [F]

Header always edit Set-Cookie (.*) "$1; HTTPOnly"
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Content-Type-Options: nosniff
Header always append X-Frame-Options SAMEORIGIN
Header set Referrer-Policy: strict-origin-when-cross-origin

What happens when you use the better security mode (or in other word, when you overwrite the ".htaccess" file)

• turns off directory listing // included in WonderCMS by default
• turns off server signature // included by default
• denies access to database.js // included by default
• creates clean URLs (example.com/?page=home TO example.com/home) // included by default
• always redirect to https://www on your website
• a stricter cookie policy
• additional XSS protection for when the user has it turned off by default (server side)
• MIME type sniffing prevention
• iframes to be allowed only from the same origin
• a stricter referrer policy

NGINX

Check the official nginx website for instructions on enabling https.

Default ".htaccess" file

Options -Indexes
ServerSignature Off
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.+)$ index.php?page=$1 [QSA,L]
RewriteRule database.js - [F]
RewriteRule cache.json - [F]