The security tab includes tools that can safeguard your site, enhance web security without needing any further setup on your original server.
Authentication #
Password Protected Page #
Password Protected Page (formerly named as Admin Key) is an effective security feature that helps safeguard your website from bots, scanners, and unauthorized access. It places a password page in front of the specified path, blocking public access to it.
Password Protected Page is designed to safeguard your website’s admin panel. It offers useful features like cache disabling for the admin and a Super Pass, which allows exemption from blocking and challenges. Therefore it is strongly recommended by Deflect to utilize this feature.
To enable this feature, please create a unique password that is not used anywhere else on your website, as well as enter the path for accessing your website’s editorial section. You will need to share this password securely with other website editors. You can change this password at any time on Deflect.
Common path to protect includes:
- WordPress: /wp-admin
- Drupal: /admin
- Joomla: /administrator
Additional Password Protected Page #
Once you’ve activated the Password Protected Page, you can specify extra paths for safeguarding. This feature proves valuable if you have several admin panels or a development page that you want to keep private.
Password Protected Page Session Expiry #
Defines how long an password protected page session stays active before requiring the password again. By default, its set to 345600 minutes (4 days).
Password Protected Page Session Type #
Links the session for password-protected pages to the browser (User-Agent) rather than the user’s IP address. This helps avoid issues for users with changing IPs, like those on mobile networks or VPNs.
Challenger #
Additional Protection #
When a DDoS attack is not automatically mitigated by Deflect rules and begins to have a negative impact on your server, you can enable Additional Protection (a.k.a. Challenger). It will help Deflect distinguish between real website readers (who are using a web browser) from automated bots.
Challenger does this by serving everyone who requests access to the website a mathematical challenge in JavaScript. The browser solves the challenge and sends back their reply. Most bot cannot do this. When a challenge has been solved, Deflect returns a cookie to the reader’s browser. No further challenges are required from this reader for the next 24 hours.
Challenger protection can be enabled immediately to block bots from reaching your website. However, it may impact readers who do not have JavaScript switched on. It may also block some search engine spiders or crawlers. It should only be enabled if your site is really under attack.
Additional Protection IP Allowlist #
You can define a list of IP addresses that will not be subjected to JavaScript Challenger. However, this doesn’t mean that these IPs will never be banned. Rather, it implies that these select IPs won’t be challenged when all site visitors are put through the above-mentioned setting. This may be necessary for certain monitoring systems, API clients, etc. Nevertheless, these IPs could still be blocked if they exhibit suspicious behavior, such as issuing an excessive number of requests.
Security Headers #
HTTP Strict Transport Security (HSTS) #
HTTP Strict Transport Security is a security header that tells user agents and web browsers to only access the server securely over HTTPS. This means that even if a user attempts to access the server page via HTTP, the browser will automatically use a secure HTTPS connection instead. It helps in reducing the risk of man-in-the-middle attacks.
By enabling this feature, Deflect will send HSTS header to all responses, forcing browsers to always use HTTPS when connecting to your site, even if users type or click on an HTTP link. This helps prevent downgrade and man-in-the-middle attacks.
Once a web server enables the HSTS header, it becomes difficult to disable because the server implements a ‘max-age’ value of one year. Even if Deflect stops sending the HSTS header, browsers that had previously accessed the site while the HSTS header was enabled will continue to enforce secure HTTPS connection until the ‘max-age’ value is exhausted. This makes disabling HSTS a complex process requiring the expiry of the specified ‘max-age’ or manual reset of HSTS settings on individual browsers.
Frame Security (X-Frame-Options) #
The X-Frame-Options HTTP response header is used to indicate whether or not a browser should be allowed to render a web page in the following HTML elements. This is used to prevent clickjacking attacks, by not allowing the page to be displayed in a frame unless it was explicitly allowed to do so.
<frame>
<iframe>
<embed>
<object> Activating this option will cause Deflect to send X-Frame-Options to SAMEORIGIN on all responses. This means that the webpage can only be shown if all parent frames possess the same origin as the webpage.
MIME Type Sniffing (X-Content-Type-Optoins) #
The X-Content-Type-Options security header is used to protect against attacks such as Mimetypes Sniffing. The only defined value, “nosniff”, prevents web browsers from content or MIME type sniffing, ensuring that files are not executed as scripts or HTML if they have a non-script MIME type.
Activating this option will cause Deflect to send X-Content-Type-Optoins headers on all responses.
Referrer Policy #
The Referrer-Policy header is an HTTP header that controls how much referrer information (such as the URL of the previous page) should be included with requests. This is useful in situations where privacy is a concern, as it allows a website to control how much information about the user’s browsing history is passed to the server.
Activating this option will cause Deflect to send the Referrer-Policy header to no-referrer-when-downgrade on all responses, which means browsers will send the full referrer URL only when navigating from HTTPS to another HTTPS page. If the link goes to an insecure HTTP page, no referrer information is shared.
XSS Protection (X-XSS-Protection) #
Activating this option will cause Deflect to send X-XSS-Protection header with value “1; mode=block”. It enables basic browser protection against some types of cross-site scripting (XSS) attacks. Although modern browsers may no longer rely on this header, it adds an extra layer of defense.
Content Security Policy (CSP) #
The Content-Security-Policy header allows web administrators to control which resources a browser can load, helping prevent XSS and other attacks.
By activating this feature, Deflect will send Content-Security-Policy header on all response.
You should exercise caution while setting up CSP. Any errors could prevent vital resources required for the functioning of your website. To avoid potential damage due to incomplete rules, we suggest you activate the Test report only mode for debugging. This uses the Content-Security-Policy-Report-Only which logs any violations in the browser development tools but does not enforce the policy.
WordPress Security #
This feature is designed to shield WordPress sites that may be vulnerable to bots and scanners. It restricts public accessibility to sensitive WordPress endpoints, which include:
- Deny public access to /wp-json
- Deny public access to /xmlrpc.php
IP Blocklist #
Enter the list of IPs to be blocked by Deflect. A blocked IP will only encounter a 403 error page as it will not have access to your site.
