Why is forum CSP harder to lock down than a normal site?

User-generated content. Forums by design accept HTML/BBCode posts that include external images, embedded video, links to external sites. A strict CSP that blocks all external sources breaks normal forum functionality. The trade-off is to keep structural controls (default-src 'self', frame-ancestors 'self') and accept permissive image/frame policies.

Should I block hotlinked images entirely?

Different decision. Some forums proxy all external images through a hashed URL on their own domain (Discourse does this by default). This gives you full CSP control AND prevents tracking by external sites. phpBB and XenForo can be configured similarly with plugins.

My users embed Imgur, YouTube, Twitter. How do I allow these without opening everything?

Use specific allowlists in frame-src: frame-src 'self' https://www.youtube.com https://player.vimeo.com https://platform.twitter.com https://i.imgur.com. Whitelist only what users actually embed. Review every 6 months.

Does Discourse manage its own security headers?

Discourse ships sensible defaults including HSTS and a permissive-but-safe CSP. You typically don't need to add headers — verify with curl what Discourse already sends before adding more. Overriding can break Discourse functionality.

How to Fix Security Headers on Forum Software

Forum software (phpBB, Discourse, XenForo, vBulletin) shares one challenge: user-generated content with embedded HTML, images and links from countless external sources. Strict Content-Security-Policy will break embeds, signatures and user avatars. This guide covers every fix our Security Audit raises on forum software, with forum-aware CSP patterns that don't break user content. Covers phpBB 3.3, Discourse 3.3 and XenForo 2.3.

1. Identify your stack

Forum security headers go at the web-server layer (nginx or Apache), not in the forum software itself. First identify whether your forum runs on Apache or nginx:

Step 1

Check what's serving the forum

curl -I https://forum.yourdomain.com/ | grep -i server

Apache or nginx will tell you which platform-specific guide to follow for the basic HTTP headers — see nginx or Apache. The forum-specific guidance below adds to those.

2. Forum-aware Content-Security-Policy

The default strict CSP will break: user avatars from Gravatar/external hosts, embedded YouTube/Vimeo, image hotlinks in posts, signatures with external images. Use this more permissive CSP for forums:

Step 1

Permissive CSP for forums

Replace the strict CSP from the platform guide with this forum-aware version:

Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https:; media-src 'self' https:; frame-src 'self' https://www.youtube.com https://player.vimeo.com; connect-src 'self'; frame-ancestors 'self'

img-src https: permits any HTTPS image — necessary for user avatars and hotlinks. The frame-src whitelist permits YouTube and Vimeo embeds.

⚠️ This is more permissive than a typical strict CSP. Forum software fundamentally needs that — user content can't be predicted. The trade-off is acceptable because the structural controls (default-src 'self', frame-ancestors 'self') still prevent the main attacks.

3. phpBB-specific hardening

phpBB has built-in security settings in the ACP:

Step 1

Force HTTPS

ACP → General → Server Settings: Server protocol https://, Force server URL settings Yes. Save.

Step 2

Session security

ACP → General → Security Settings: enable Check User's IP against the Session IP if your users have stable IPs (turn off if mobile-heavy).

4. Discourse-specific hardening

Discourse runs in Docker and manages its own nginx internally. Custom headers go in app.yml:

Step 1

Edit app.yml

On the Discourse host:

cd /var/discourse
nano containers/app.yml

Discourse has a documented pattern for custom headers via the hooks: section. Reference Discourse meta documentation for current syntax — they update it periodically.

Step 2

Rebuild

./launcher rebuild app

Discourse rebuilds the container with your changes.

5. XenForo-specific hardening

XenForo has an option for HSTS in admin config; the rest comes from your web server.

Step 1

Force HTTPS in admin

Admin CP → Setup → Options → Basic board information → set Board URL to https://forum.yourdomain.com.

Step 2

Cookie security

Admin CP → Setup → Options → Cookies: review settings. XenForo automatically applies Secure flag when board URL is https://.

6. Verify

Step 1

Curl test

curl -sI https://forum.yourdomain.com/ | grep -iE "strict-transport|x-frame|x-content|referrer|permissions|content-security"

Re-run the Security Audit.

🛡 Re-run the audit

Verify every header, TLS protocol and security.txt with a fresh scan.

Run Security Audit →