Question 1

How to install SQLite for PHP on a Apache/Nginx server

Accepted Answer

SQLite is a very popular & fast relational database that is designed to be embedded within software applications. If your server does not already have the SQLite drivers for PHP, please follow the guide below:

|| If you are using a cPanel based server, follow this guide.

Step 1 - Install SQLite3 on your Linux server

First login to your server via SSH and update your package list:

sudo apt update

Now install SQLite:

sudo apt install sqlite3

To verify the installation, check the software’s version:

sqlite3 --version

You should see an output like this:

3.37.0 2021-12-09 01:34:53 9ff244ce0739f8ee52a3e9671adb4ee54c83c640b02e3f9d185fd2f9a179aapl

Step 2 – Install the pdo_sqlite module for your PHP version

sudo apt-get install php-sqlite3

If the above command does not work, you can try the PHP version-specific instructions below:

For PHP5.x, use sudo apt-get install php5-sqlite
For PHP7.0, use sudo apt-get install php7.0-sqlite
For PHP7.1, use sudo apt-get install php7.1-sqlite
For PHP7.2, use sudo apt-get install php7.2-sqlite
For PHP7.3, use sudo apt-get install php7.3-sqlite
For PHP7.4, use sudo apt-get install php7.4-sqlite
For other PHP versions, use sudo apt-get install phpX.Y-sqlite after replacing X.Y with your PHP version number

Step 2 – Restart Apache/Nginx

To enable these modules for PDO usage, we will have to restart Apac

Question 2

How to add missing HTTP Security Headers

Accepted Answer

Most modern browsers ships with a built in XSS filter. However this setting could be turned off by default. Including the X-XSS-Protection header forces this filter to be enabled, thus providing additional protection against Cross Site Scripting attacks.

Missing Strict Transport Security header means that the application fails to prevent users from connecting to it over unencrypted connections. An attacker able to modify a legitimate user’s network traffic could bypass the application’s use of SSL/TLS encryption, and use the application as a platform for attacks against its users. This attack is performed by rewriting HTTPS links as HTTP, so that if a targeted user follows a link to the site from an HTTP page, their browser never attempts to use an encrypted connection. The sslstrip tool automates this process.

Missing Content-Type header means that this website could be at risk of a MIME-sniffing attacks.

Steps to Fix

X-XSS-Protection

For Apache, it is recommended to use the protection provided by XSS filters without the associated risks by using the following code to .htaccess file:

# X-XSS-Protection
<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
</IfModule>

For Nginx, add the following code to the nginx configuration: add_header X-XSS-Protection "1; mode=block";

Strict Transport Security

The application should instruct web browsers to only access the application using HTTPS.

To do this, enable **HTTP Strict Transport Secu

Question 3

Content Security Policy - All you need to know

Accepted Answer

What is Content Security Policy?

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement to the distribution of malware.

Unsafe Inline or Unsafe Eval

Inline JavaScript and CSS are often used on websites but they are also dangerous. They’re the easiest way for a hacker to create an XSS attack. Therefore, to allow them you must add 'unsafe-inline' to the directive you want to allow them for. This is to make sure you understand, what you’re doing isn’t recommended.

A common CSS pattern is to inline your most important CSS that renders your ‘above fold content’ with <style> tags. This can help decrease the perceived rendering time. With HTTP/2, it can be argued against doing this as it tends to be slower. If you do choose to use inline scripts, you have three options.

Get a SHA-256 hash of the script & a

Question 4

How to re-connect the Website Protection plugin on your site

Accepted Answer

If the Astra Dashboard is not able to connect with the Website Protection plugin installed on your website, you may see a warning in your dashboard. This means that when you take any action on the Astra Website Protection Dashboard, it will not get synced with the plugin and the changes will not take affect immediately.

To re-connect your website, you can try the following steps. After performing every step, please retry the connection from your dashboard to verify it.

Plugin Disconnected Warning

Step 1 - Enter a new Activation Code

Navigate to the Settings page for the website where you see this warning
Scroll down and click on the Re-install Astra button
Before we re-install the plugin, let us first try to resolve the issue by entering a new Activation Code. Click on Show Activation Code to generate a new code.
Visit the Activation Page URL as shown in the dashboard & enter the new Activation code. The URL will be similar to example.com/?astraRoute=api/login
Now come back to the Astra Dashboard, and click on the Retry button in the warning screen. If you still face an error, try the next step.

Generate New Activation Code

Step 2 - Update to the latest plugin

Since entering the Activation code did not work, let us try to install the **latest

Question 5

Why am I not getting the OTP in my email?

Accepted Answer

Troubleshooting: Not Receiving Two-Factor Authentication Codes in Email

If you're not receiving two-factor authentication (2FA) codes in your email, there are several steps you can take to troubleshoot the issue.

Check Your Inbox Search your email inbox for messages from no-reply@getastra.email. Sometimes, these emails can end up in the inbox but might be missed.
Check Spam Folder Emails containing authentication codes may sometimes be marked as spam by your email provider. Check your spam or junk folder to see if the email ended up there.
Check Organization Policies If you're using a work or school email address, check with your organization's IT or admin team. They might have policies in place that could be blocking these types of emails.
Wait for 20 Minutes Sometimes, there can be delays in email delivery. Wait for at least 20 minutes to see if the email containing the authentication code arrives.
Contact Support If you've tried the above steps and still haven't received the 2FA code within 20 minutes, you can contact us by emailing help@getastra.com

Question 6

How to fix Referrer-Policy HTTP header

Accepted Answer

The Referrer-Policy HTTP header governs which referrer information, sent in the Referer header should be included with requests made.

Syntax

Note that Referer is actually a misspelling of the word “referrer”. The Referrer-Policyheader does not share this misspelling.

Referrer-Policy: no-referrer
Referrer-Policy: no-referrer-when-downgrade
Referrer-Policy: origin
Referrer-Policy: origin-when-cross-origin
Referrer-Policy: same-origin
Referrer-Policy: strict-origin
Referrer-Policy: strict-origin-when-cross-origin
Referrer-Policy: unsafe-url

Directives

no-referrer

The [Referer](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer "The Referer request header contains the address of the previous web page

Frequently Read Articles

Browse All Categories