I am using a
<If "%{HTTP:X-Some-Header-here} == 'yes'">
// Set some magic here
</If>
in my Apache (2.4) config.
This leads to a an "automatic" entry in the Vary: response header (if the stuff within the section applies) like
Vary: other stuff,X-Some-Header-here
Is there any simple way to deactivate this behaviour sine the X-Some-Header here is kind of "private" in my config?
I could do some magic with header rewriting but I hope there is a very simple directive to disable Apache to do this automatically.
Thanks :-)
Related
i'm tried to enable X-FRAME only my spasific VH
on httpd-default.conf
i set the line:
Header always append X-Frame-Options SAMEORIGIN
on my website that i need to enable X-FRAME from specific Source:
Header always append X-Frame-Options "ALLOW-FROM https://sites.com"
my main idea it's to block by default X-FRAME
using apache 2.4
thanks
I had a problem using Header always append... (sometimes doesn't works) so I changed to:
Header set X-Frame-Options "ALLOW-FROM https://sites.com"
and it works!
Only remember than Chrome doesn't have support for ALLOW-FROM so it will be ignored and always can pass.
PD: It´s recomended to avoid the use of X-Frame-Options and change to Content Security Policy using frame-src: 'src' https://sites.com 'etc';
Because microsoft internet explorer and microsoft edge don't support content security policy version 2 or, in case of IE, don't support it at all I would like to change the content security policy based on the user agent. This is fairly simple with PHP but I would like to do this with .htaccess file. The question is; is this possible and how. So far I found lots of rewrite rules but no mod_headers doing this.
Searching for something like this:
Header set Content-Security-Policy: ...
<UserAgentMatch "(Edge|Internet Explorer)$">
Header unset Content-Security-Policy
</UserAgentMatch>
Anyone have an idea how I can do this and if its possible?
UPDATE:
The answer of Walf gives an internal server error but after some finetuning resulted in a solution. For those looking for the same see code below.
<If "%{HTTP_USER_AGENT} !~ /(MSIE|Edge)s*/i">
header always set Content-Security-Policy "..."
</If>
Tried setting the header only if it's not those browsers?
<If "%{HTTP_USER_AGENT} !~ /\s+(?:MSIE\s+\d|Edge\/)/">
Content-Security-Policy: ...
</If>
I have a website where virtual hosts are defined in /etc/apache2/sites-enabled/ with a header being set with the always option like this:
Header always set X-Frame-Options DENY
If I now set the same header using .htaccess in the web site's root folder, but without always then the header is returned twice in the server's response.
The setting in .htaccess (amongst others):
Header set X-Frame-Options DENY
The server's response:
HTTP/1.1 200 OK
Date: Mon, 02 May 2016 16:02:29 GMT
Server: Apache/2.4.10 (Debian)
X-Frame-Options: DENY
Cache-Control: no-cache, no-store, must-revalidate, private
Pragma: no-cache
X-XSS-Protection: 1
X-Content-Type-Options: nosniff
Last-Modified: Mon, 02 May 2016 15:03:42 GMT
Accept-Ranges: bytes
Content-Length: 0
X-Frame-Options: DENY
X-XSS-Protection: 1
X-Content-Type-Options: nosniff
Cache-Control: no-cache, no-store, must-revalidate, private
Pragma: no-cache
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
The Apache docs say that without the always option the default value of onsuccess is used. But they also say that "... the default value of onsuccess does not limit an action to responses with a 2xx status code..." (http://httpd.apache.org/docs/current/en/mod/mod_headers.html#header).
But if I don't add always, then error pages like 301s and 404s will not have the header set. On the other hand, if I do add always then the headers might be set twice if I do use the default value (i.e. onsuccess) in .htaccess. As the docs state: "repeating this directive with both conditions makes sense in some scenarios because always is not a superset of onsuccess with respect to existing headers". Setting headers twice is not always valid for an HTTP response, see https://stackoverflow.com/a/4371395/641481. So I want to avoid it, naturally.
My question now is: When exactly should I use onsuccess (i.e. the default value) and when always? I must admit that even after reading through the Apache docs a couple of times I do not exactly understand this. Pragmatically it seems that always using always leads to the correct/expected behaviour.
I also do not understand why Apache writes the header twice if it is set in always and onsuccess. It seems wrong to me, but there must be a good reason for this, since I assume the Apache-devs know a lot more than I do about HTTP ;-)
This is only a partial answer since it does not cover the onsuccess attribute. It is based on experiences using apache 2.4.7 running on an Ubuntu 14 os. Hope it helps you along.
The pure set parameter, without attributes, to the Header directive overwrites any always attribute by forcing the argument to Header set to be the only one delivered. If the same directive appears in a directory, i.e. file system based .htaccess file it has precedence over the same directive noted in a virtual host definition file related to that directory. If the attribute always is noted additionaly, it has the effect that any, equal or different, notation of the same directive is added to the server answer instead of overwriting/replacing it.
Probably the onsuccess attribute, which i unfortunately do not have the time to explore now, may be handled similar as the always attribute.
We use Adobe Experience Manager with a Dispatcher [caching] module for our Apache webserver. Adobe recently changed the code below. Essentially I believe you may need to use the "expr=" syntax to make sure the value is not already set. That should eliminate the duplicates.
Here's the reference code from Adobe:
Original Config: Header always append X-Frame-Options SAMEORIGIN
New Config: Header merge X-Frame-Options SAMEORIGIN "expr=%{resp:X-Frame-Options}!='SAMEORIGIN'"
When I inquired, Adobe gave me the following reasons. Thanks Adobe.
Explanation:
Using "merge" instead of "append" prevents the entry's value from from being added to the header more than once.
expr=expression: The directive is applied if and only if expression evaluates to true. Details of expression syntax and evaluation are documented in the ap_expr documentation. The "expr" is looking in the response headers from the server (Publisher Application Server) to make sure that it does not include SAMEORIGIN. This ensures that SAMEORGIN is not duplicated in the response header sent back to the request client.
It's required because testing has found that when AEM included this header Apache would duplicate the SAMEORIGIN value even with the merge option. Apache is capable of proper merge when it sources the header from itself, but because the first header was set by AEM outside of the Apache instance is when it gets weird (and requires the extra expression).
It also appears that they do not use "always" with the merge+expr syntax. Perhaps to also work around an Apache weirdness.
PS... remember to change "SAMEORIGIN" for "DENY" in your case.
I'm using an htaccess rule to proxy to an internal server, using the answer recommended on this question, "Can ProxyPass and ProxyPassReverse Work in htaccess". I'm using htaccess as that is all I have access to. The method suggested works, but when I make a change on one of the internal pages and reload (from the external server) I don't even see it hitting the internal server, even after clearing the cache on the browser. In fact, if I try to load the page from another browser which never has tried to load the page before, it too gets the old copy.
This suggests something is being cached on the server, but how to change this? The apparent caching is rather annoying as I am trying to fix some issues that only occur on the proxied page.
If I hit the internal server directly and reload after a change, I always get the latest page.
I have tried a <filesMatch ...> rule for the affected pattern (using the same pattern as used in the RewriteRule in the following manner:
<filesMatch "^/?somedir/(.*)$">
Header set Cache-Control "max-age=0, private, no-store, no-cache, must-revalidate"
</filesMatch>
My rewrite rule looks like this, and comes after the filesMatch directive:
RewriteEngine On
RewriteRule ^/?somedir/(.*)$ https://internal.local.net:8000/$1 [L,P]
But this has not had any effect. I have also tried "NoCache *" but this directive causes an error as it is not allowed in an .htaccess file.
The P-flag in your RewriteRule causes the request to be proxied to the internal server using mod_proxy. mod_proxy by itself does not cache content. The caching is probably a result of mod_cache being enabled as well on the server. The settings you need to disable caching for your internal server can unfortunately only be done in server or virtual-host config. The solution would be to add what you tried to the configuration of the internal server thus telling mod_cache that it should not cache any response from your internal server:
Using .htaccess
Header set Cache-Control "max-age=0, private, no-store, no-cache, must-revalidate"
or PHP
header('Cache-Control: no-cache, no-store, must-revalidate'); // HTTP 1.1.
header('Pragma: no-cache'); // HTTP 1.0.
header('Expires: 0'); // Proxies.
Try adding this in an htaccess file in your "somedir" directory:
ExpiresActive On
ExpiresDefault "now"
I try to put a X-FRAME-OPTIONS to the http header to prevent the Clickjacking attack.
If I set the header in the httpd.conf or .htaccess file like this, it works.
Header set X-Frame-Options SAMEORIGIN
But there are several places that using the iFrame on my own website, if I do this, it will also block the iFrame on my own website. So I try to add a exception for my own website. Check if the request is from my own website, then allow the iFrame on the page. I tried this, but it didn't work.
SetEnvIf Host http://myownwebsite\.com iframes_are_cool
Header set X-Frame-Options SAMEORIGIN env=!iframes_are_cool
Could someone help me with this?
SetEnvIf is not as flexible so I recommend to use simply the // sections. Give the below a try:
<If "! %{HOST} =~ /http://myownwebsite\.com/">
Header set X-Frame-Options SAMEORIGIN
</If>