Security and privacy with TLS
TLS (Transport Layer Security; previously SSL, Secure Sockets Layer) is a set of cryptographic protocols providing encrypted connections over a computer network. The protocol used for accessing web pages, HTTP, wrapped in TLS is known as HTTPS (Hypertext Transfer Protocol Secure) and is a standard of the modern web.
TLS certificates issued by certificate authorities (CAs) are used for asymmetric encryption, where web browsers request the public key for a particular website to encrypt information that can be decrypted with the corresponding private key known only to the destination server, eliminating the possibility of anyone being able to read the data itself even if the whole communication is being intercepted. This results in establishing a shared key for symmetric encryption, where the encryption and decryption is being done using the same secret for optimal performance.
Most web sites and forums exchange sensitive information like passwords, IP addresses and personally identifiable information protected by law in most countries — not having all of your web site’s connections secured can result in disclosure of such data in cases as simple as using public internet hotspots, which is the reason major web browsers have started delivering warnings to users when the connection security can be questioned. Modern web server software allows administrators to set up HTTPS without significant performance or compatibility drawbacks and we strongly recommend board administrators upgrade their boards to support HTTPS and enforce it.
Obtaining a TLS certificate & configuring the server
The TLS certificate for a public website needs to be issued by a certificate authority trusted by major web browsers, validating the ownership of a domain. Certificates can be obtained from CAs directly as well as domain and web hosting providers — it’s possible that your host contains such offers or that it’s already included in your package.
Configuring the web server to present a valid certificate depends on the operating system and platform — refer to external resources:
and select the software you’re using. If you’re configuring a server on your own, you need to follow common recommendations of modern protocols and ciphers.
It’s also possible to use Let’s Encrypt, an automated CA providing free certificates with comparable level of security and tools that make the setup and certificate renewal process easier — refer to certbot.eff.org for installation instructions and make yourself familiar with its usage guide.
Reverse proxies
If your websites take advantage of reverse proxies (such as Amazon CloudFront or Cloudflare) you should set up both connections (between your users and the proxy server as well as between the proxy server and the origin server) to use HTTPS. For example, Cloudflare provides Origin CA certificates that can be installed on your server to be able to communicate with Cloudflare securely; you can also use certificates provided by Let’s Encrypt. Remember to instruct the proxy server to always use secure connections on both sides.
Switching and enforcing HTTPS
MyBB settings
Update the Board URL in the ACP under Settings → Site Details to reflect the changes, replacing http://
with https://
.
Protocol redirection
Once your forum works properly under the new protocol, you can set up your server to redirect your visitors to the new address.
-
Apache servers:
First, add the following line in the .htaccess file in your forum’s main directory or your VirtualHost file if it’s not already present:
RewriteEngine On
Following the statement, insert a rule that will redirect the traffic changing the protocol under the condition that it’s not HTTPS:
RewriteCond %{HTTPS} off RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Alternatively, if you use a reverse proxy and the connection between the proxy and your server doesn’t happen over HTTPS (which is highly discouraged), you might need your server to check the value of the
X-Forwarded-Proto
header (supplied by the reverse proxy) instead:RewriteCond %{HTTP:X-Forwarded-Proto} !https RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Make sure this is the first redirect rule and the protocol redirection is always the first one that’s performed.
-
nginx servers:
server { listen 80 default_server; listen [::]:80 default_server; server_name _; return 301 https://$host$request_uri; }
if ($http_x_forwarded_proto = "http") { return 301 https://$server_name$request_uri; }
Removing mixed content
Mixed content (insecure content) occurs when the initial page is delivered over HTTPS, but includes content (such as images, videos, etc.) downloaded through insecure HTTP, limiting the security benefits of HTTPS (read more).
Templates and CSS
Some resources, like images, CSS or JavaScript files might be loaded through your MyBB theme’s CSS files (Templates & Style → Themes) and templates (Templates & Style → Templates). Those are usually located in the headerinclude template (Ungrouped Templates). You can also use the Search/Replace utility to find all occurrences of http://
to replace it with https://
, making sure these resources work correctly under the new address first.
User content
The usual MyBB installation inserts external content into the forum page source basing on user’s input in two places:
- avatars, when a user provides a link to an external image instead of uploading one,
- MyCode output, when
[img]
and[video]
tags are translated to HTML’s<img>
(images) and<iframe>
&<embed>
(video widgets), displayed directly on the forum’s pages.
As long as users provide HTTPS-based URLs to these elements browsers will render the page properly, however a single insecure element can cause browsers to block such mixed content and display a warning.
This can be aided by installing DVZ Secure Content, a MyBB 1.8.x plugin with two operating modes described below.
-
Blocking insecure resources
A simple and straightforward way to make your forums work properly under HTTPS is blocking all elements pointed to using
http://
— simply make sure the Filter non-HTTPS MyCode images and Block non-HTTPS avatars settings are set to On under Configuration → Settings → DVZ Secure Content. You can notify your forum’s users that images and videos will be displayed if they providehttps://
URLs. -
Proxying insecure resources
It’s possible to keep displaying all content securely, regardless of the protocol used with a resource proxy. Instead of pointing browsers to original URLs (that your forum users provide), the content can be served from your own server that first fetches it from the original server and then forwards it to the end user — always over HTTPS.
This will require a resource proxy script, best if running on a server other than your forum’s (you will need a VPS or a dedicated server):
- github.com/atmos/camo for NodeJS,
- github.com/ankane/camo for Ruby.
After setting up a resource proxy, configure the mentioned plugin by setting Image proxy to On and configure the remaining settings. An example configuration for the atmos/camo implementation:
- Image proxy URL scheme:
{PROXY_URL}{DIGEST}/{URL}
- Image proxy URL:
https://camo-url.example.com/
- Image proxy key:
0x24FEEDFACEDEADBEEFCAFE
- Image proxy digest algorithm:
sha1
- Image proxy forwarded URL protocol: No changes
- Image proxy forwarded URL encoding: Hex encoding
This can vary with each implementation — if you’re having problems, consult the script’s documentation or create a support thread.
You can also decide whether all or HTTP resources only should be forwarded in the Image proxy policy and Proxy avatars settings. Proxying all remote resources has positive impact on your forum users’ privacy because information like the IP addresses and operating system & browser-related details are revealed only to the resource proxy server (in most cases operated by the same people that operate the forum itself). Third party servers, where such resources are being stored, will only receive information related to the proxy server that relays the data further.
After configuring your setup, use the plugin’s tools available on Configuration → Plugins to secure the video widget templates and avatars — all Security overview indicators should read Yes (with the exception of All remote resources proxied, if you didn’t decide to use a resource proxy).
Custom MyCode
If your board takes advantage of custom MyCode tags, review the Replacement codes and make sure they don’t load external content over the unsecured protocol.
Security headers
Additional headers, added to every response from your server, can contain directives instructing browsers to react to security-related events in a desired fashion. You can find a more detailed list here.
Basic security headers
Header name | Suggested value for MyBB | Description |
---|---|---|
Strict-Transport-Security |
max-age=31536000; includeSubDomains; preload |
Prevents the browser from downgrading connections to your website to plaintext HTTP until the max-age time has elapsed. If includeSubDomains is specified, the rule applies to all subdomains. The preload part instructs that this rule can be hardcoded into web browsers (read more). Include only if your forum is working correctly under HTTPS (you can set the max-age to lower periods of time and increase it afterwards). |
Content-Security-Policy |
upgrade-insecure-requests; default-src https: data: 'unsafe-inline' 'unsafe-eval'; frame-ancestors 'none'; base-uri 'self' |
Instructs the browser to upgrade protocols of included HTTP resources to HTTPS, block unsecured elements, disallow including the website in frames and limit usage of <base> directives |
X-Frame-Options |
deny |
Improves the protection against clickjacking by preventing the website from being displayed in frames. |
X-XSS-Protection |
1; mode=block |
Enables the browser’s XSS filter. |
X-Content-Type-Options |
nosniff |
Intructs the browser to interpret filetypes according to the content type header. |
The Content-Security-Policy
can be further fine-tuned to contain definitions of allowed sources for specified types of content and how it can be included on the website. It heavily relies on the forum’s configuration and some rules are not possible (e.g. MyBB requires inline scripts to be allowed).
Adding headers to server responses
-
On Apache servers, make sure the
mod_headers
module is enabled and add each header in a separate line to the .htaccess file or your VirtualHost file:Header always set HeaderName "headerValue"
replacing HeaderName and headerValue with intended values. mod_headers documentation →
-
On nginx servers, make sure the
ngx_http_headers_module
module is enabled and add each header in a separate line to the location block:add_header HeaderName headerValue;
replacing HeaderName and headerValue with intended values. ngx_http_headers_module documentation →
Secure cookies
Once HTTPS is configured, browsers should be informed that cookies (which contain sensitive information) should only be sent over a secure connection: set the Secure Cookie Flag setting under Configuration → Site Details to Yes (available on MyBB 1.8.9 and up).
Subresource Integrity
If your board takes advantage of resources (such as CSS or JavaScript files) stored on remote servers like CDN providers, it’s a good idea to use Subresource Integrity (SRI). This feature allows to check file checksums before they are run by the browser and therefore protects the original website if files have been modified, potentially by a malicious party.
SRI can be implemented by including the integrity="..."
attribute in <link>
and <script>
elements, e.g.:
<script src="https://code.jquery.com/jquery-3.1.1.min.js" integrity="sha384-3ceskX3iaEnIogmQchP8opvBy3Mi7Ce34nWjpBIwVTHfGYWQS9jwHDVRnpKKHJg7" crossorigin="anonymous"></script>
You can generate SRI checksums (hashes) on srihash.org. Each time the file content is changed, the corresponding checksum needs to be updated as well for browsers to load it correctly.
Verifying & monitoring
- Most modern browsers will display detailed warnings in the Console when mixed content is detected.
- Your websites can be checked using external tools:
- CSP violation reports can be used with report-uri.io to log all events breaking the rules set by the Content Security Policy header, such as attempts to load insecure content.
We offer support and validation of HTTPS setups on the Community Forums.