I recently did a site health test and found none of my security headers are being sent.
Here is the .htaccess:
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://enigmapr0ject.live/$1 [R,L]
# Security Headers
<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-Content-Type-Options "nosniff"
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
# Header set Content-Security-Policy ...
Header set Referrer-Policy "same-origin"
Header set Feature-Policy "geolocation 'self'; vibrate 'none'"
</IfModule>
What am I doing wrong?
Ubuntu 20.04 VPS with latest version of LAMP via APT.
Edit: Changed the code, and the redirect from HTTP to HTTPS works perfectly, but the headers are not present on any requests.
Turns out the AllowOverride was set to None in /etc/apache2/apache2.conf...
Related
Following this - https://www.ibm.com/support/pages/configuring-cors-websphere-application-server - I am trying to configure Apache for multiple origin domains and it isn't working. I have the following:
<IfModule setenvif_module>
SetEnvIfNoCase Origin "https?://(dev.mydomain.com|qa.mydomain.com|mydomain.com|myotherdomain.com|www.myotherdomain.com)(:\d+)?$" ACAO=$0
SetEnvIfNoCase REQUEST_METHOD OPTIONS skipwas=1
</IfModule>
<IfModule headers_module>
Header onsuccess unset Access-Control-Allow-origin env=ACAO
Header always set Access-Control-Allow-Origin "%{ACAO}e" env=ACAO
Header always append Vary "Origin"
</IfModule>
This results in a no ACAO header present in the logs when I open up the Chrome console and attempt to fetch from any of the present domains. Just wondering what I'm doing wrong?
I have a domain hosted on a shared server with the following .htaccess headers:
RewriteEngine On
RewriteCond %{SERVER_PORT} !=443
RewriteRule ^(.*)$ https://example.com/$1 [R=301,L]
Header set Strict-Transport-Security: "max-age=31536000 ; includeSubDomains ;" env=HTTPS
Header set X-Frame-Options: SAMEORIGIN
Header set X-Content-Type-Options: nosniff
Header set X-XSS-Protection "1; mode=block"
Header set Referrer-Policy: strict-origin-when-cross-origin
Header set Content-Security-Policy-Report-Only: default-src: https:
The first group of headers seem to work perfectly but when I include the last line I get a 500 internal server error and the site doesn't load. I don't have access to the server logs and the host support agents aren't trained in this field at all.
Is there something I'm doing wrong here? Any help would be really appreciated!
Just worked this out, should have had 'default-src: https:' in quotes, as in:
Header set Content-Security-Policy-Report-Only: "default-src: https:"
Hope this helps someone!
I am not able to see SameSite=Strict using builtin developer tools in the “Application” tab.
I have added below Header code in Apache configuration
Header always edit Set-Cookie (.*) "$1;SameSite=Strict"
Header edit Set-Cookie ^(.*)$ $1;SameSite=Strict
Please let me know how to set SameSite=Strict using above settings.
For apache2 >= 2.2.4
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=Strict
For apache2 lower than 2.2.4
Header set Set-Cookie HttpOnly;Secure;SameSite=Strict
In my local environment (Apache 2.4) after enabling mod_headers I was able to achive this by adding directives like below in my vhost:
<ifmodule mod_headers.c>
Header always edit Set-Cookie (.*) "$1; SameSite=strict"
</ifmodule>
Where is the difference? Why it didn't work for you? Mayby its lack of "space" after semicolon?
<ifmodule mod_headers.c>
# always is similar to "onerrors"
Header always edit Set-Cookie (.*) "$1; SameSite=strict"
# success is similar to http 2xx response code
Header onsuccess edit Set-Cookie (.*) "$1; SameSite=strict"
# remove duplications (apache sends from both tables always and onsuccess)
## https://www.tunetheweb.com/security/http-security-headers/secure-cookies/
#Strip off double SameSite=strict settings as using above you can sometimes get both
Header edit Set-Cookie ^(.*);\s?SameSite=strict;?\s?(.*);\s?SameSite=strict;?\s?(.*)$ "$1; $2; $3; SameSite=strict"
#Strip off double ;; settings
Header edit Set-Cookie ^(.*);\s?;\s?(.*)$ "$1; $2"
</ifmodule>
[apache manual] (https://httpd.apache.org/docs/2.2/de/mod/mod_headers.html)
[stack discusion] (httpd duplicate Access-Control-Allow-Origin with "Header always set")
I am using https://hstspreload.org to test the status of HTTP to HTTPS redirect and HSTS. I receive the following error message:
HTTP redirects to a page without HSTS
http://example.com redirects to https://example.com/, which does not serve a HSTS header that satisfies preload conditions.
Here are the contents of my .htaccess file:
###
# force HTTPS
###
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} !=on [NC]
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>
###
# HSTS
###
<IfModule mod_headers.c>
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS
Header always set Cache-Control "no-store, no-cache, must-revalidate"
</IfModule>
From this blog post I read that:
... that redirect must have the HSTS header, not the page it redirects to.
I am not sure what rules should I add or modify in order to fulfill this condition. If someone knows, based on the information I have provided, what ruling should I add or modify in my .htaccess file to have HSTS header in the redirect as well?
I've some doubt on how to do redirect all my http pages to https.
I've saw that are someone that tell to do a rewrite like in this reply:
And Apache says to do in this way
Anyone can explain me what is the recommended way to make this change
The only secure way to redirect http to https is to use HSTS (Header Strict-Transport-Security) with the preload option.
The apache redirect is insecure because an attacker can intercept it and rewrite it. Unfortunately, for older browser and browser how didn't preload HSTS, it's your only option:
<VirtualHost *:80>
ServerName www.example.com
Redirect "/" "https://www.example.com/"
</VirtualHost>
Apache redirect
In the https response:
<VirtualHost *:443>
# Use HTTP Strict Transport Security to force client to use secure connections only
# Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header always set Strict-Transport-Security "max-age=31536000"
# Further Configuration goes here
[...]
</VirtualHost>
HSTS
Or, using .htaccess:
# Redirect if http
RewriteCond %{HTTPS} off
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# set header if https
# Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS
Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
The Header Strict-Transport-Security (HSTS) has 2 effects:
For the visitor, it tells the browsers to only use https on that domain and all sub-domains for one year (all http request will be rewrite as https request without network interaction)
For browsers vendors, the 'preload' keyword allow them to preload the website in their source code. With that, you avoid the first insecure request: the browser already know that website commit to https.
Note that HSTS+preload can't be rolled back, it's a definitive commit to security (but it's the strength of it: an attacker can't remove it too)
The HSTS in comment is the most secure one but can't be rolled back:
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
The HSTS not in comment is less secure because the first connection can still be insecure, and do not protect subdomains:
Strict-Transport-Security "max-age=31536000"
HSTS is the only reliable protection against SSLTrip
SEO implications: If the website already redirect all http webpage to https then that header has no negative (and no positive) affect.
Add just below or above Document Root in /etc/apache2/sites-available/yoursite.conf
Redirect permanent / https://your-site.com/