Google Security Issue: Deceptive pages

Support
, , ,
1

Hi,

I have a simple react webapp hosted on netlify with my own domain. Below are the details:

url: https://bitesizeadventure.com/
frontend: react

I tried to list the site on google but it did not pas the security check:

1 issue detected
Google has detected harmful content on some of your site’s pages. We recommend that you remove it as soon as possible. Until then, browsers such as Google Chrome will display a warning when users visit or download certain files from your site.

Deceptive pages
Description
These pages attempt to trick users into doing something dangerous, such as installing unwanted software or revealing personal information.

What I have tried so far:

  • tried adding _headers to the build folder : Ended up removing all css from my website. So I reverted it back
  • tried adding netlify.toml file at the root of the app. But that did not seem to take any effect. Am I doing something wrong?

This is my content of netlify.toml file:

[[headers]]
  for = "/*"
  [headers.values]
    X-Frame-Options = "SAMEORIGIN"
    X-Content-Type-Options = "nosniff"
    X-XSS-Protection = "1; mode=block"

What Im using for testing:

Although it received a good rating but there were suggestions on improvements, particularly:

Security Headers

Missing security header for ClickJacking Protection. Alternatively, you can use Content-Security-Policy: frame-ancestors ‘none’.

Missing security header to prevent Content Type sniffing.

Missing Content-Security-Policy directive. We recommend to add the following CSP directives (you can use default-src if all values are the same): script-src, object-src, base-uri, frame-src

2

You may want to add your site to Google Search Console (if you haven’t) and there you should be able to request a review of your site.

Regarding header, it seems that your 3 headers was set up correctly. Content Security Policy can also be used with Netlify’s headers function, but you may want to be careful with it as it can broke your site very easily.

3

Hi @hartanto ,

Thanks for the reply.

Yes, I had already tried to add my site to google. This is where the issue stemmed from

1 issue detected
Google has detected harmful content on some of your site’s pages. We recommend that you remove it as soon as possible. Until then, browsers such as Google Chrome will display a warning when users visit or download certain files from your site.

Deceptive pages
Description
These pages attempt to trick users into doing something dangerous, such as installing unwanted software or revealing personal information.

I’ve been testing with sucuri to check the issues as they provide more details

Can you please tell how to resolve these two issues:

image
image2668×692 88.7 KB

4

These are again, recommendations, you don’t need to follow those. But if you want to do so:

  • For the Protection section:

    • Netlify does not provide a Web Application Firewall at the moment, I would personally argue that since website hosted are static, having a WAF wouldn’t be that necessary. Netlify will mitigate any DDOS attack happening to their system.
    • For SPF record, do you use any custom domain email address? If you don’t (and you are not planning to have one), you can add a TXT record in your domain DNS that contains v=spf1 -all. If in the future you want to use a custom domain email address, your email provider will instruct you to change the SPF record.

  • For the security headers:

    • CSP can be a pain to set up and to maintain. There is always a risk of breaking your site. Basically what CSP does is restrict your site to use resources that you have explicitly allowed. So any other resources will be blocked. The Mozilla blog below provides a good starting point.
1 Like
5

Thank you. It worked