How we can edit Apache config file in a Kubernetes environment?
Usually I do edit some security in the .conf for all the headers.
Exemple:
Content-Security-Policy
X-Frame-Options
X-Content-Type-Options
Referrer-Policy
Permissions-Policy
Thank you
Related
I have seen some results from security scans that a client website is not behaving as securely as possible.
The security scan suggests to resolve this, we need to add some add_header directives, e.g:
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options DENY;
add_header Referrer-Policy "strict-origin" always;
In a shared server environment, can I add these to .htaccess?
Affirmative, in environments where you might not have direct control over the Apache server such as in shared hostings you can use .htaccess and enforce headers from there.
Take a look at this:
https://torbjornzetterlund.com/hardening-your-http-response-headers-with-htaccess/
using securityheaders.io website, I can't get referrer policy header recognized in apache .htaccess.
This is my code in htaccess
<IfModule mod_headers.c>
Header set Referrer-Policy "no-referrer"
</IfModule>
The site still says missing referrer policy. Is this not the right code to use?
You must add like this in your htaccess file
Header always set Referrer-Policy "same-origin"
Referrer-Policy: no-referrer
Referrer-Policy: no-referrer-when-downgrade
Referrer-Policy: origin
Referrer-Policy: origin-when-cross-origin
Referrer-Policy: same-origin
Referrer-Policy: strict-origin
Referrer-Policy: strict-origin-when-cross-origin
Referrer-Policy: unsafe-url
Referrer-Policy: same-origin is usally recommended.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
This worked for me:
Header always set Referrer-Policy "no-referrer"
We have been having the problem where we get errors of the format.
Font from origin 'https://example.com' has been blocked from loading by
Cross-Origin Resource Sharing policy: No 'Access-Control-Allow-Origin'
header is present on the requested resource. Origin
'https://www.example.com' is therefore not allowed access.
We also get a "Redirect at origin" error.
We are using Drupal 7 and Cloudflare.
we have attempted to edit .htaccess to include
Header set Access-Control-Allow-Origin "https://example.com"
Header set Access-Control-Allow-Origin "https://www.example.com"
Tried quite a lot;
have purged cloudflare
restarted apache
tried wildcard "*"
Drupal CORS module
So far no joy.
As this approach is not working, I am wondering if something is being missed or if there is an alternate approach, such as why we are getting origin 'https://example.com' being in the request via Drupal and not 'https://www.example.com'.
Last note it that when I review some resources I see two distinct patterns.
If a resource has status of "301 Moved Permanently" in the request headers there is
Host www.example.com
Referer https://example.com/
Where the status is "304 Not Modified"
Host example.com
Referer https://example.com/
It's odd that there is any www at all; htaccess should be redirecting and it is absent from base_url.
I have experienced a very similar issue.
Be ensured that module headers is enabled
1 - To enable mod headers on Apache2 (httpd) you need to run this command:
sudo a2enmod headers
Then restart Apache
sudo service apache2 restart
2 - To allow Access-Control-Allow-Origin (CORS) authorization for specific origin domains for all files, add this in your .htaccess
<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin https://example.org
Header set Access-Control-Allow-Origin https://example.com
Header set Access-Control-Allow-Origin https://example.eu
## SECURITY WARNING : never add following line when site is in production
## Header set Access-Control-Allow-Origin "*"
</IfModule>
2 - To allow Access-Control-Allow-Origin (CORS) authorization for specific origin domains and for fonts only in our example, use FilesMatch like in the following section in your .htaccess
<FilesMatch "\.(ttf|otf|eot|woff|woff2)$">
<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin https://example.org
Header set Access-Control-Allow-Origin https://example.com
Header set Access-Control-Allow-Origin https://example.eu
</IfModule>
</FilesMatch>
After making changes in .htaccess file, no need to restart your apache webserver
I added the following lines to my .htacces file:
Content-Security-Policy: default-src 'self'
X-Content-Security-Policy: default-src 'self'
X-WebKit-CSP: default-src 'self'
But I always got the following error:
Invalid command 'Content-Security-Policy:', perhaps misspelled or defined by a module not included in the server configuration
I don't get it. Which Apache module do I have to activate? What's wrong with these lines?
Thx,
David
Add those lines into your httpd.conf configuration files, or inside your virtualhost sections, or inside your .htaccess files:
Header unset Content-Security-Policy
Header add Content-Security-Policy "default-src 'self'"
Header unset X-Content-Security-Policy
Header add X-Content-Security-Policy "default-src 'self'"
Header unset X-WebKit-CSP
Header add X-WebKit-CSP "default-src 'self'"
You may also be interested in adding those headers:
Header set X-Content-Type-Options "nosniff"
Header set X-XSS-Protection "1; mode=block"
Header set X-Frame-Options "DENY"
Header set Strict-Transport-Security "max-age=631138519; includeSubDomains"
You have to enable (LoadModule) mod_headers if not already enabled, then restart apache.
I'm not an apache expert, but content security policy is a response header. http://httpd.apache.org/docs/2.2/mod/mod_headers.html
We want to add X-Frame-Options to all Http responses except some of them (as some pages are supposed to be shown in iframes, and outside of the website). How can this be done?
Solved with adding
Header set X-Frame-Options DENY
....
<LocationMatch "....">
Header unset X-Frame-Options
</LocationMatch>