I am trying to set X-Frame-Options using IBM HTTP Server (IHS) 8.5.5.12 that is based on apache HTTP Server 2.2.32.
I have tried with SetEnvIf but don't have idea about how to compare environment variable in httpd.conf file.
I have tried same in IHS 9 with If condition and it works, but don't have idea about how to implement same in IHS 8.5.5.12
<IfModule mod_headers.c>
<If "%{HTTP:X-Requested-From} == 'mobileapp'">
Header unset X-Frame-Options
</If>
<Else>
Header set X-Frame-Options SAMEORIGIN
</Else>
</IfModule>
Above code works fine in IHS 9, Can some one help here?
Regards
Mohammad Ashfaq
The trick here is that the Header directive can be conditional in Apache 2.2 but only on an environment variable. But SetEnvIf runs first and can set an environment variable based on a request header:
SetEnvIf X-Requested-From mobileapp is_mobile=1
Header set X-Frame-Options SAMEORIGIN
Header unset X-Frame-Options env=is_mobile
$ wget -qS http://localhost 2>&1 |grep X-F X-Frame-Options:
SAMEORIGIN
$ wget -qS --header="X-Requested-From: mobileapp"
http://localhost 2>&1 |grep X-F
$
Related
I'm using Apache 2.4.52 and I have two headers I'd like to fix in my apache config. The problem is only one RequestHeader works at a time.
I can only get 'SOME-TOKEN' RequestHeader working if I comment out or remove SOME-API-KEY from the config.
Note: this problem happens using either method from the code below. Only the SOME_API_KEY header works, in order for SOME-TOKEN header to work, I have to remove the other RequestHeader.
RequestHeader set SOME-API-KEY "expr=%{req:SOME_API_KEY}"
RequestHeader set SOME-TOKEN "expr=%{req:SOME_TOKEN}"
I've also tried this - from here: https://httpd.apache.org/docs/2.4/env.html#examples
The same problem exists, only the SOME-API-KEY RequestHeader works. Again, if I remove SOME-API-KEY RequestHeader, SOME-TOKEN header will begin working as expected.
SetEnvIf ^SOME.API.KEY$ ^(.*)$ fix_some_api_key=$1
RequestHeader set SOME-API-KEY %{fix_some_api_key}e env=fix_some_api_key
SetEnvIf ^SOME.TOKEN$ ^(.*)$ fix_some_token=$1
RequestHeader set SOME-TOKEN %{fix_some_token}e env=fix_some_token
Additional info: This api is a separate vhost using mod_wsgi, I do have WSGIPassAuthorization ON set. I've tried using one RequestHeader in the main apache config, one in the vhost config and both in the virtualhost config to no avail.
I am trying to set a header using mod_headers in Apache in all cases EXCEPT a certain path. I've tried each of the three variations below to do so, but none of them seem to work properly to exclude the path. In ALL cases I get the header for all requests, including those that match the example path, e.g.: http://example.com/charts/24_hour_commodity/450/300
<VirtualHost *:8200>
...
SetEnvIfNoCase Request_URI "^/charts/.*" frameallow
Header set X-Frame-Options SAMEORIGIN env=!frameallow
...
</VirtualHost>
Or:
<VirtualHost *:8200>
...
Header always set X-Frame-Options SAMEORIGIN
<LocationMatch "^/charts">
Header always unset X-Frame-Options
</LocationMatch>
...
</VirtualHost>
Or
<VirtualHost *:8200>
...
Header always set X-Frame-Options SAMEORIGIN
<Directory "/full/path/to/charts">
Header always unset X-Frame-Options
</Directory>
...
</VirtualHost>
#tried both with and without the 'always' in all configs
Can anyone help me figure out why the header is set in the first example or not unset in the following two? Any one working solution would be enough...
UPDATE:
After reading about order of processing on the Apache site, I tried using conditional blocks instead. Neither of those work either:
<If "%{REQUEST_URI} =~ m#^/charts#">
Header unset X-Frame-Options
</If>
Or
SetEnvIfNoCase Request_URI "^/charts" frameallow
<If "reqenv('frameallow') == 1">
Header unset X-Frame-Options
</If>
So, still broken. Must be something about the Header statements not firing after a certain point in processing. Or the ones int he conditional somehow firing before the main one and being overridden. Cannot find a way to debug it down to the root cause though.
Responses header with expression
Header always set Access-Control-Allow-Origin * "expr=%{REQUEST_URI} =~ m#^/specialPath$#"
this may add header wen the expr = true
http://httpd.apache.org/docs/current/mod/mod_headers.html
at the bottom of the section Header Directive
We have been having the problem where we get errors of the format.
Font from origin 'https://example.com' has been blocked from loading by
Cross-Origin Resource Sharing policy: No 'Access-Control-Allow-Origin'
header is present on the requested resource. Origin
'https://www.example.com' is therefore not allowed access.
We also get a "Redirect at origin" error.
We are using Drupal 7 and Cloudflare.
we have attempted to edit .htaccess to include
Header set Access-Control-Allow-Origin "https://example.com"
Header set Access-Control-Allow-Origin "https://www.example.com"
Tried quite a lot;
have purged cloudflare
restarted apache
tried wildcard "*"
Drupal CORS module
So far no joy.
As this approach is not working, I am wondering if something is being missed or if there is an alternate approach, such as why we are getting origin 'https://example.com' being in the request via Drupal and not 'https://www.example.com'.
Last note it that when I review some resources I see two distinct patterns.
If a resource has status of "301 Moved Permanently" in the request headers there is
Host www.example.com
Referer https://example.com/
Where the status is "304 Not Modified"
Host example.com
Referer https://example.com/
It's odd that there is any www at all; htaccess should be redirecting and it is absent from base_url.
I have experienced a very similar issue.
Be ensured that module headers is enabled
1 - To enable mod headers on Apache2 (httpd) you need to run this command:
sudo a2enmod headers
Then restart Apache
sudo service apache2 restart
2 - To allow Access-Control-Allow-Origin (CORS) authorization for specific origin domains for all files, add this in your .htaccess
<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin https://example.org
Header set Access-Control-Allow-Origin https://example.com
Header set Access-Control-Allow-Origin https://example.eu
## SECURITY WARNING : never add following line when site is in production
## Header set Access-Control-Allow-Origin "*"
</IfModule>
2 - To allow Access-Control-Allow-Origin (CORS) authorization for specific origin domains and for fonts only in our example, use FilesMatch like in the following section in your .htaccess
<FilesMatch "\.(ttf|otf|eot|woff|woff2)$">
<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin https://example.org
Header set Access-Control-Allow-Origin https://example.com
Header set Access-Control-Allow-Origin https://example.eu
</IfModule>
</FilesMatch>
After making changes in .htaccess file, no need to restart your apache webserver
I did set X-Frame-Options DENY in the apache configuraiton file.
Header always append X-Frame-Options DENY
I can see that the server response contain X-Frame-Options DENY at headers but the iframe on the page is still visible.
What I'm doing wrong?
Best way i've found is to set it under your virtual host and if you're using drupal, make sure your "settings.php" has the following added to it:
$conf['x_frame_options'] = '';
Apache - virtual host set the following at the top of your definition (see below):
<VirtualHost *:80>
DocumentRoot "/var/www/your_site_dir"
SetEnvIf Referer "^.*?\.yourdomain\.(com|net)\.au.*?$" NO_X_FRAME_OPTIONS 1
Header always unset X-Frame-Options env=NO_X_FRAME_OPTIONS
Header set X-Frame-Options "SAMEORIGIN" env=!NO_X_FRAME_OPTIONS
// Rest of config below...
</VirtualHost>
Hope this helps! PS - this will also work with all un-supported browsers.
This option isn't supported by every browser :
IE8+
Opera 10.50+
Safari 4+
Chrome 4.1.249.1042+ (Allow-From not yet supported)
Firefox 3.6.9 (or earlier with NoScript)
Source : http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx
I have a custom module in apache 2.2 that check the referrer header and decide if drop the request or perform process for the answer.
Apache is under cloudfront cdn so no header like user-agent and referrer is forwarded.
The solution would be add a cookie in the request with referrer and from apache side take that and use that to overwrite referrer header. Is this possible?
Summarizing i would take custom value in the cookie and put it in the referrer header and process it in our custom module.
<VirtualHost *:80>
RequestReadTimeout header=10-30,MinRate=500
RewriteEngine On
Header set Referer HTTP_COOKIE:referer
RequestHeader unset Authorization
<Location /getobject>
SetHandler getobject
</Location>
I tested with debug tool on browser and i'm sure that cookie is sent to the server.
I tried with the example above but it doesn't work. Any idea?
I can answer to myself
i can add headers i need on the server via javascript in the cookies
document.cookie="referrer="+window.parent.location;
after that on the server i can use
SetEnvIfNoCase Cookie ^ $ "( referrer = \ w *: \ / \ / \ w *)" HTTP_MY_COOKIE = $ 1
SetEnvIfNoCase HTTP_MY_COOKIE " (http : \ / \ / . * \ . \ w *)" Referrer = $ 1
<IfModule mod_headers.c>
RequestHeader % { Referer } and Referrer
</IfModule >