I am not able to see SameSite=Strict using builtin developer tools in the “Application” tab.
I have added below Header code in Apache configuration
Header always edit Set-Cookie (.*) "$1;SameSite=Strict"
Header edit Set-Cookie ^(.*)$ $1;SameSite=Strict
Please let me know how to set SameSite=Strict using above settings.
For apache2 >= 2.2.4
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=Strict
For apache2 lower than 2.2.4
Header set Set-Cookie HttpOnly;Secure;SameSite=Strict
In my local environment (Apache 2.4) after enabling mod_headers I was able to achive this by adding directives like below in my vhost:
<ifmodule mod_headers.c>
Header always edit Set-Cookie (.*) "$1; SameSite=strict"
</ifmodule>
Where is the difference? Why it didn't work for you? Mayby its lack of "space" after semicolon?
<ifmodule mod_headers.c>
# always is similar to "onerrors"
Header always edit Set-Cookie (.*) "$1; SameSite=strict"
# success is similar to http 2xx response code
Header onsuccess edit Set-Cookie (.*) "$1; SameSite=strict"
# remove duplications (apache sends from both tables always and onsuccess)
## https://www.tunetheweb.com/security/http-security-headers/secure-cookies/
#Strip off double SameSite=strict settings as using above you can sometimes get both
Header edit Set-Cookie ^(.*);\s?SameSite=strict;?\s?(.*);\s?SameSite=strict;?\s?(.*)$ "$1; $2; $3; SameSite=strict"
#Strip off double ;; settings
Header edit Set-Cookie ^(.*);\s?;\s?(.*)$ "$1; $2"
</ifmodule>
[apache manual] (https://httpd.apache.org/docs/2.2/de/mod/mod_headers.html)
[stack discusion] (httpd duplicate Access-Control-Allow-Origin with "Header always set")
Related
I want to set "SameSite" and "Secure" as follows in httpd.conf file, only if url is https only.
How can add condition to check if url is https or http
Header always edit Set-Cookie (.*) "$1; SameSite=None; Secure"
Header onsuccess edit Set-Cookie (.*) "$1; SameSite=None; Secure
I have tried following solutions but didn't help:
<If "reqenv('HTTPS') == 'on'">
SetEnvIf HTTPS "on" HAS_HTTPS
SetEnvIfExpr "tolower(req('HTTPS')) =='on'" HAS_HTTPS
I have a problem with modifying cookie attributes in .htaccess file. I tryed these codes:
Header always edit "Set-Cookie" ""
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=Strict
Header always Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=Strict
Header set Set-Cookie HttpOnly;Secure;SameSite=Strict
Header always set Set-Cookie HttpOnly;Secure;SameSite=Strict
but none of these have changed anything in cookie attributes. I can't get apache version, and apache has mod_headers.c.
I am trying to add an Access-Control-Origin header in .htaccess for all URIs ending with .json. I cannot use <FilesMatch> as my paths are rewritten by mod_rewrite. (Or if I can it doesn't work.)
I found on Stack that it should be possible to do it with an env variable:
<IfModule mod_headers.c>
SetEnvIf Request_URI "\.json$" IS_JSON=TRUE
# ".json$" yields the same result
Header set Access-Control-Allow-Origin "*" env=IS_JSON
# "Header add" yields the same result
</IfModule>
But it does never add the header.
I tried using a snipper from another stack answer to check if the env variable is there using:
RewriteCond %{REQUEST_URI} !echo.php
RewriteRule .* echo.php?uri=%{REQUEST_URI}&json=%{ENV:IS_JSON} [L]
And it really was true.
When I remove the condition and leave it as:
Header set Access-Control-Allow-Origin "*"
the header is added, so the mod is loaded, but I would like to limit it for ".json$" only.
What am I doing wrong?
Instead of Header you probably meant to use RequestHeader to send custom headers to your code
SetEnvIf Request_URI \.json$ IS_JSON
RequestHeader set Access-Control-Allow-Origin "*" env=IS_JSON
I have URL rewrite mode enabled for my localhost (apache) server well. But as soon as I try to get access the remote URL via my localhost. it prompts error as:
"Internal Server Error" or sometime "Not Found"
and if I make little change (by removing [P]) in my htaccess file then it's showing the expected URL at console log but still it prompts error as -
" No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin http://localhost:8080' is therefore not allowed access."
My .htaccess file is as:
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{SERVER_PORT} !^8080$
RewriteRule ^(.*) http://%{SERVER_NAME}:8080%{REQUEST_URI} [P]
RewriteRule ^(.*) http://<Remote_ip_address>:<port_no>%{REQUEST_URI} [P]
</IfModule>
Any suggestion would be highly appreciated !!
This is an intentional security feature (the Same-origin policy). You need to enable CORS (Cross-Origin Resource Sharing) on the destination server (not in your .htaccess file here, but on Remote_ip_address). Here are a few resources:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
http://enable-cors.org/server_apache.html
This solution below works for me in the vhost file located there :
/etc/httpd/conf.d/vhosts/xxxx.conf
SetEnvIf Origin "^http(s)?://(.+\.)?(yourdomain\.com|otherdomain\.com)$" origin_is=$0
Header set Access-Control-Allow-Origin %{origin_is}e env=origin_is
Header set Access-Control-Allow-Credentials "true"
Header always set Access-Control-Allow-Headers "Authorization"
Header always set Access-Control-Allow-Methods "GET"
DO NOT FORGET
to change yourdomain.com|otherdomain.com
To add/modify the correct Access-Control-Allow-Methods GET, PUT,PUATCH, DELETE, POST
I'm redoing an entire website and the browser is using the cached index.html of pages that are at the same URL.
This is the entire content of the .htaccess file in one of the problem directories:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /products/
# Remove 'index.html' from the URL for old links that include it.
RewriteCond %{THE_REQUEST} ^.*\index\.html?\ HTTP/
RewriteRule ^(.*)index\.html?$ "/products/$1" [R=301,L]
# Use index.php for all requests.
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^ /products/index.php [L]
</IfModule>
# An atempt to tell the browser not to use a cached .html file.
ExpiresActive on
ExpiresByType text/html "access plus 0 seconds"
<FilesMatch "\.(html)$">
Header set Cache-Control "private, must-revalidate"
</FilesMatch>
I've tried multiple things here, but nothing is working. This is all I see in the headers:
Request URL:http://www.example.com/products/
Request Method:GET
Status Code:200 OK (from cache)
There are no Request Headers or Response Headers.
I'm thinking I can maybe try a RewriteRule to add something like ?28032012 to the end of something, but I don't know how to even attempt that.
I've read that appending ?version=<%=version%> to problematic file names is a good method of cache busting. You may also try as an easier solution the http header "cache-control: max-age = 600" so that anything on the page that is 10 minutes or older is pulled from the server.
You can just append /? to the end of your URL.
Example:
www.google.com/?
The solution I ended up using for this was to redirect all www requests to non www requests. So basically, this approach prevented any browsers from using any cached resources because the www version of the site no longer exists.
This is worked for me.
<IfModule mod_headers.c>
Header set Cache-Control "no-cache, no-store, must-revalidate"
Header set Pragma "no-cache"
Header set Expires 0
</IfModule>
Reference: https://wp-mix.com/disable-caching-htaccess/