Jump to content


Photo
- - - - -

Wrong site formatting + ETF2L profile links + security stuff

Started by suprovsky , Jun 04 2020 01:47 PM

  • This topic is locked This topic is locked
No replies to this topic

#1 suprovsky

suprovsky

    Member

  • Users
  • PipPip
  • 10 posts

Posted 04 June 2020 - 01:47 PM

TF2C Profile: suprovsky
Region: EU

Browser: Google Chrome
Critical plugins: * Adblock Plus
OS: Windows
Connection type: * Router

Bug type: Main page
Lobby ID: --
Date & Time: 04.06.2020 14:40

Yo,

the main site of the TF2Center isn't formatting fine in Chrome while using 4K displays (3840x2160):
https://i.imgur.com/aYMtcFC.jpg
It's not the case for Microsoft Edge:
https://i.imgur.com/a9ibC6d.jpg
and for Mozilla Firefox:
https://i.imgur.com/4JT87mb.png

It may be important: I use window rescaling to 175% since I have 3 screens, where two of them are with FHD (1920x1080) screen resolution.

Also, another thing which is minor: ETF2L and its API works on HTTPS addresses only since yesterday. Please update profile links to HTTPS.

Also, regards secuity your page gets B score on ssllabs.com while you could get A+ easily with HTTPS everywhere: https://www.ssllabs....d=tf2center.com
Another test you'd like to take a look is Mozilla Observatory where you get F for webpage security: https://observatory....e/tf2center.com

Another security/availability/performance measures I'd take are:

  • disable TLS 1.0 and 1.1 on Cloudflare setup (https://i.imgur.com/ScD3c9o.png)
  • enable HSTS on Cloudflare and to add tf2center.com domain to a https://hstspreload.org/
  • enable HTTP/2 and HTTP/3 (with QUIC) and IPv6 Compatibility (that needs additional configuration on a origin server (actually you can make pseudo 6to4 routing through Cloudflare but it's not hard to set up IPv6 support normally): https://i.imgur.com/w2Cpel3.png
  • adding page headers:

  • add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
  • add_header X-Frame-Options "SAMEORIGIN";
  • add_header X-XSS-Protection "1; mode=block";
  • add_header X-Content-Type-Options nosniff;
  • add_header Content-Security-Policy
//that header is incomplete; you need to read a lot about it because it gives you a extra security on the page but using wrongly defined header can break your site (aka you will block a lot of site elements from loading for users)
  • start using Secure and HttpOnly flags with JSESSIONID (there's a good article about this: https://owasp.org/ww...munity/HttpOnly)


Changing these things will make tf2center.com much secure site (also you'd get both A+ in both ssllabs.com and Mozilla Observatory tests.
If you need help - add me on Steam and we can discuss it.
Back to Archive


  1. TF2Center Forums
  2. Feedback and Support
  3. Bug Reports
  4. Archive
  5. Privacy Policy