I have a problem with modifying cookie attributes in .htaccess file. I tryed these codes:
Header always edit "Set-Cookie" ""
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=Strict
Header always Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=Strict
Header set Set-Cookie HttpOnly;Secure;SameSite=Strict
Header always set Set-Cookie HttpOnly;Secure;SameSite=Strict
but none of these have changed anything in cookie attributes. I can't get apache version, and apache has mod_headers.c.
Related
I want to set "SameSite" and "Secure" as follows in httpd.conf file, only if url is https only.
How can add condition to check if url is https or http
Header always edit Set-Cookie (.*) "$1; SameSite=None; Secure"
Header onsuccess edit Set-Cookie (.*) "$1; SameSite=None; Secure
I have tried following solutions but didn't help:
<If "reqenv('HTTPS') == 'on'">
SetEnvIf HTTPS "on" HAS_HTTPS
SetEnvIfExpr "tolower(req('HTTPS')) =='on'" HAS_HTTPS
I am not able to see SameSite=Strict using builtin developer tools in the “Application” tab.
I have added below Header code in Apache configuration
Header always edit Set-Cookie (.*) "$1;SameSite=Strict"
Header edit Set-Cookie ^(.*)$ $1;SameSite=Strict
Please let me know how to set SameSite=Strict using above settings.
For apache2 >= 2.2.4
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=Strict
For apache2 lower than 2.2.4
Header set Set-Cookie HttpOnly;Secure;SameSite=Strict
In my local environment (Apache 2.4) after enabling mod_headers I was able to achive this by adding directives like below in my vhost:
<ifmodule mod_headers.c>
Header always edit Set-Cookie (.*) "$1; SameSite=strict"
</ifmodule>
Where is the difference? Why it didn't work for you? Mayby its lack of "space" after semicolon?
<ifmodule mod_headers.c>
# always is similar to "onerrors"
Header always edit Set-Cookie (.*) "$1; SameSite=strict"
# success is similar to http 2xx response code
Header onsuccess edit Set-Cookie (.*) "$1; SameSite=strict"
# remove duplications (apache sends from both tables always and onsuccess)
## https://www.tunetheweb.com/security/http-security-headers/secure-cookies/
#Strip off double SameSite=strict settings as using above you can sometimes get both
Header edit Set-Cookie ^(.*);\s?SameSite=strict;?\s?(.*);\s?SameSite=strict;?\s?(.*)$ "$1; $2; $3; SameSite=strict"
#Strip off double ;; settings
Header edit Set-Cookie ^(.*);\s?;\s?(.*)$ "$1; $2"
</ifmodule>
[apache manual] (https://httpd.apache.org/docs/2.2/de/mod/mod_headers.html)
[stack discusion] (httpd duplicate Access-Control-Allow-Origin with "Header always set")
I am working on a system that needs to send Bearer token keys (JWT) for all URLs from an app our company is developing, the problem occurs when there is an attachment that needs to be downloaded, when clicking the link it fires the browser on the mobile device.
As you know this will not allow the headers to be set, so am working on a solution to add the header if it is emtpy.
Now I can get the env variable populated from the query string.
But I need a way to set the requestheader early along with the env= value, is this possible?
This is what I have:
RewriteCond %{QUERY_STRING} (?:^|&)token=([^&]+)
RewriteRule (.*) - [E=JW_TOKEN:%1]
RequestHeader setIfEmpty Authorization "Bearer %{JW_TOKEN}e" "env=JW_TOKEN"
What I need to do is something like:
RewriteCond %{QUERY_STRING} (?:^|&)token=([^&]+)
RewriteRule (.*) - [E=JW_TOKEN:%1]
RequestHeader setIfEmpty Authorization "Bearer %{JW_TOKEN}e" "env=JW_TOKEN early"
But this does not work.
I had a similar issue with HSTS. The most elegant way to conditionally set the header is (as described here: https://stackoverflow.com/a/24145033/3433306):
Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
But this cannot be combined with the early flag. However, we can set the header early and remove it later, if the environment variable is not set as required.
Header set Strict-Transport-Security "max-age=31536000" early
Header unset Strict-Transport-Security env=!HTTPS
In your case, this would make something like the following (not tested):
RewriteCond %{QUERY_STRING} (?:^|&)token=([^&]+)
RewriteRule (.*) - [E=JW_TOKEN:%1]
RequestHeader setIfEmpty Authorization "Bearer %{JW_TOKEN}e" "early"
RequestHeader unset Authorization "env=!JW_TOKEN"
This question already has answers here:
Set Apache headers conditionally
(2 answers)
Closed 4 years ago.
I'm new in Apache server configuration, now I try to enable CORS.
With follow setting in httpd.conf, CORS can work properly.
<VirtualHost *:80>
DocumentRoot /var/www/html/
RewriteEngine On
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 [R=200,L]
Header always set Access-Control-Allow-Origin "http://example.com"
Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
Header always set Access-Control-Allow-Headers: "Content-Type"
</VirtualHost>
But current server always set Access-Control-Allow-xxx header to all coming request (Both Pre-flight OPTIONS request and actual request).
I only want to add Access-Control-Allow-xxx header for Pre-light request from setting origin (http://example.com), have any way to config for it?
I've read this question, and setenvif manual, but I can't find any option that I can extract Origin info from the request.
I will be grateful for any help you can provide.
As SetEnvIf document, attribute in SetEnvIf attribute regex [!]env-variable syntax, can be An HTTP request header field (see RFC2616 for more information about these); for example: Host, User-Agent, Referer, and Accept-Language.
So I can resolve with below config.
<VirtualHost *:80>
DocumentRoot /var/www/html/
SetEnvIf Origin "^http://fiddle.jshell.net$" ORIGIN_COND
Header always set Access-Control-Allow-Origin "http://example.com" env=ORIGIN_COND
...
</VirtualHost>
Thanks #CRroe and #arco444 make me clearly.
I have URL rewrite mode enabled for my localhost (apache) server well. But as soon as I try to get access the remote URL via my localhost. it prompts error as:
"Internal Server Error" or sometime "Not Found"
and if I make little change (by removing [P]) in my htaccess file then it's showing the expected URL at console log but still it prompts error as -
" No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin http://localhost:8080' is therefore not allowed access."
My .htaccess file is as:
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{SERVER_PORT} !^8080$
RewriteRule ^(.*) http://%{SERVER_NAME}:8080%{REQUEST_URI} [P]
RewriteRule ^(.*) http://<Remote_ip_address>:<port_no>%{REQUEST_URI} [P]
</IfModule>
Any suggestion would be highly appreciated !!
This is an intentional security feature (the Same-origin policy). You need to enable CORS (Cross-Origin Resource Sharing) on the destination server (not in your .htaccess file here, but on Remote_ip_address). Here are a few resources:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
http://enable-cors.org/server_apache.html
This solution below works for me in the vhost file located there :
/etc/httpd/conf.d/vhosts/xxxx.conf
SetEnvIf Origin "^http(s)?://(.+\.)?(yourdomain\.com|otherdomain\.com)$" origin_is=$0
Header set Access-Control-Allow-Origin %{origin_is}e env=origin_is
Header set Access-Control-Allow-Credentials "true"
Header always set Access-Control-Allow-Headers "Authorization"
Header always set Access-Control-Allow-Methods "GET"
DO NOT FORGET
to change yourdomain.com|otherdomain.com
To add/modify the correct Access-Control-Allow-Methods GET, PUT,PUATCH, DELETE, POST