Announcement

**Buzby** · 27-May-2024, 03:04 PM

I had the same issue with the card boxes not loading.

I removed all of the code rather than try to work out what was causing it.

It would seem that I didn’t require the additions to the htaccess file as I never failed on any of those.

My only failure is to do with tcp packets which I have been told by my host to register as a false positive.

**graphicz** · 27-May-2024, 03:34 PM

One would have thought when ClearAccept was introduced by SD they would have issued a nice clear concise guide on 'how to'. Sorry but they seem to be playing catch-up and leaving customers to work things out for themselves!

**Buzby** · 27-May-2024, 03:44 PM

Hasn’t that always been the Sellerdeck way?

**zgap111** · 27-May-2024, 06:14 PM

Trying to figure out what is happening...
Looking at the "same-origin" examples on https://developer.mozilla.org/en-US/...eferrer-Policy

Click image for larger version Name: 2024-05-27_18-55-57 - same-origin.png Views: 0 Size: 14.9 KB ID: 557179

I'm guessing the SellerdeckPay fields are the "Navigation to" and so gives a "(no referrer)" result = breaks the function
## maybe this might even break connections to Google Analytics / Google Ads (I haven't tried Google Tag Assistant to test)
- if it hasn't... then Google Tags has somehow bypassed this setting

I've changed it to

Header set Referrer-Policy "origin"

and it works.

I've now change it to:

Header set Referrer-Policy "strict-origin-when-cross-origin"

so only allows both ends to be https - which ClearAccept should be

Click image for larger version Name: 2024-05-27_19-07-06 - strict-origin-when-cross-origin.png Views: 0 Size: 22.6 KB ID: 557180

=============================================================================

Extra extra... checking our site on https://securityheaders.com/

advises the "feature policy" will be replaced by "permissions policy"

I've added this line:

Header always set Permissions-Policy "accelerometer=(self), camera=(self), geolocation=(self), gyroscope=(self), magnetometer=(self), microphone=(self), payment=(self), usb=(self)"

Don't know the functions, but everything on that scan site is now green!

[On that site... you can see previous scans and their settings]

**graphicz** · 28-May-2024, 08:07 AM

I have removed the headers on a client site with the ClearAccept fields not displaying and have run a scan but it still shows the headers as present... Any advice?

server	LiteSpeed
x-xss-protection	1; mode=block
x-frame-options	SAMEORIGIN
content-security-policy	frame-ancestors'none'
x-content-type-options	nosniff
strict-transport-security	max-age=63072000; includeSubDomains
referrer-policy	same-origin
feature-policy	geolocation 'self'; vibrate'none'

Is there a cache I need to clear?

**zgap111** · 28-May-2024, 08:50 AM

In my tests... Its instant = I'm updating the .htaccess file and upload via ftp and F5 the webpage (F5 scan / F5 Sellerdeck website payment page - I'm using Firefox)
- you can always try CTRL-F5 refresh to be sure

If the settings haven't changed, it must be getting those settings somewhere else...
I'm finding that these settings can be anywhere - here showing it's set on a server conf file

Click image for larger version

Name: 2024-05-28_09-47-03 - apache nginx.png
Views: 175
Size: 68.6 KB
ID: 557183

**zgap111** · 28-May-2024, 08:59 AM

During my tests yesterday, I found the header settings weren't being applied (test results were always 100% red) and the host sent this:

With regards to headers, the "Smart static files processing" is enabled, so its possible this related to files being processed by nginx, not apache. I have disabled this option for you now, so your .htaccess file should apply to all requests.

whatever they disabled, the results were now green

**graphicz** · 28-May-2024, 09:49 AM

Resolved!

Fields are now displaying and scoring A+ on https://securityheaders.com

The CA styling of the inputs and labels is pretty poor and as it is from CA I cannot manipulate it?

Click image for larger version Name: field-styling.jpg Views: 0 Size: 52.9 KB ID: 557186

How can we beautify these input fields and labels?

Thanks!

**zgap111** · 28-May-2024, 10:43 AM

That's brilliant...
Beautify... I think we had something changed... maybe it was css - fields were like 4 digit wide or something... I can't remember (it was basic change tho)

In the meantime our test suddenly turned red... I queried and our host did this

Click image for larger version Name: 2024-05-28_11-40-05 - headers.png Views: 0 Size: 25.3 KB ID: 557188

and now our checkout looks like

Click image for larger version Name: 2024-05-28_11-39-42 - checkout blank.png Views: 0 Size: 12.1 KB ID: 557189

sadge

**zgap111** · 28-May-2024, 10:49 AM

The CSS change was this:

Go to:

Design | Libiray | Layouts | Payment methods | Clear Accept Stylesheet

Find

.expiry-cvv{ display: flex; justify-content: space-between; margin: 0 409px 0 5px;

As an example, you can edit as follows…

.expiry-cvv{ display: flex; justify-content: space-between; margin: 0 auto 0 5px;

Also, find

.credit-card{ margin: 0 300px 0 10px; }

As an example edit as follows…

.credit-card{ margin: 0 auto 0 10px; }

This should allow the fields to grow and contract as the widths allow.

Hope that will help you

**graphicz** · 28-May-2024, 02:00 PM

I did this:

Go to Design, Library, Layouts, Payment Methods, Clear Accept Stylesheet - double click to open.

Line 17 see this:

.clearaccept-field { height:30px;}

Change 30 to 50 so you have this

.clearaccept-field { height:50px;}

Apply OK and out. Publish and test.

I added this to the htaccess:

Code:

# Security Headers
<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
Header always set X-Frame-Options "SAMEORIGIN"
Header set Content-Security-Policy: "frame-ancestors 'none'"
Header set X-Content-Type-Options "nosniff"
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
Header set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Permissions-Policy "accelerometer=(self), camera=(self), geolocation=(self), gyroscope=(self), magnetometer=(self), microphone=(self), payment=(self), usb=(self)"
</IfModule>

I don't kow about server side stuff I am afraid...

**zgap111** · 28-May-2024, 02:19 PM

Fantastic

Our Host advised:

With regards to the config a number of items would not be triggered via the .htaccess file as the VPS sits behind an Nginx Proxy which is the same as the shared hosting so it's best to add this in to the configuration for the server, this is done via the Plesk hosting panel as a bonus this also prevents the addition of invalid rules

Found it in : Plesk Hosting Panel : Websites & Domains > Hosting & DNS > Apache & nginx
There are 3 fields:
Additional Directives for HTTP
Additional Directives for HTTPS
Additional nginx Directives

Anyway... host has reverted and we're using the htaccess for now (and tinker later on)

**graphicz** · 29-May-2024, 08:46 AM

Just a big shout out to zgap111 for addressing and sorting the headers issues. Thank you!

**zgap111** · 29-May-2024, 11:59 AM

Thank's for the shout out

This morning I saw this post (re: site passed PCI)
https://community.sellerdeck.com/for...193#post557193

and I checked the headers site... and Titan's site is all red...

https://securityheaders.com/?q=titan...owRedirects=on

If it passed with all red... were the headers neccessary for the PCI??

(Note... getting this done does give peace of mind that we done what we can to secure our site/reduce the vulnerabilities)

Announcement

PCI DSS 4.0 - htaccess

PCI DSS 4.0 - htaccess

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment