Hi!
So, i wanted to secure my Apache server as best as i can - but forgot to check each Application if it is running correctly…
At first i went through the basic certbot install - obtained my cert for the domain and installed it automatically.
Then did everything else - HSTS, HPKP, CSP and so on.
At some point i realized that my phpmyadmin login page didn’t work anymore - it only shows the Phpmyadmin-Logo but not the Login-window. The webpanel for my teamspeak-server also looks not as it should. (i think there are missing some things)
I am not an expert with all this, ive checked everything but can’t find the error. There are no error-messages inside the apache-log if someone visits the phpmyadmin loginpage, no error messages at all.
Could someone please check the configuration files?
Looks like you’re not allowing the scripts on that page from loading in the first place:
Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-Znx9+G9zA+tuD8Jhp366cVvHMKX3f6akSB6VwBQDw0o='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback
Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-51ZHNuSSKtFtvqsVPKOE/TUSwFe0LxrViJ5CDHpf1U0='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
I’m no expert in Apache configs (nginx fan over here), but if I were to hazard a guess, take a closer look at these lines. Also, maybe consider a better way of setting that directive up, because I suspect every page will have a different inline script that’s broken by this.
Header set Content-Security-Policy "default-src 'self';" Header always set Public-Key-Pins "pin-sha256=\"YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=\"; pin-sha256=\"C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M=\"; pin-sha256=\"sRHdihwgkaib1P1gxX8HFszlD+7/gTfNvuAybgLPNis=\"; pin-sha256=\"za7Ua9rgoG4hdw2IRNSGzHldSpDLUQLGyNLEvhofpD8=\"; pin-sha256=\"2mwKohR7EVlZtxlB9lNcneNZCWkwopiiUHwygomeoVc=\"; max-age=864000; includeSubdomains"
You should switch Content-Security-Policy to Report-Only mode and setup a report-uri to learn more about the additional options that are needed for your website. (You need at least unsafe-inline right now which largely defeats the purpose of CSP. ️)
https://report-uri.io/ is an awesome free service for this with lots of utilities to help you implement and debug security headers.
️)