How we can edit Apache config file in a Kubernetes environment?
Usually I do edit some security in the .conf for all the headers.
Exemple:
Content-Security-Policy
X-Frame-Options
X-Content-Type-Options
Referrer-Policy
Permissions-Policy
Thank you
I have a AngularJS app deployed using Yeoman. Cakephp RESTful backend.
The Angular app sends in OPTIONS preflight requests, which the backend responds with forbidden (403), in nginx to solve this problem I have used this:
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, PUT, DELETE';
add_header 'Access-Control-Allow-Headers' 'X-AuthTokenHeader,Authorization,Content-Type,Accept,Origin,User-Agent,DNT,Cache-Control,X-Mx-ReqToken,Keep-Alive,X-Requested-With,If-Modified-Since';
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain charset=UTF-8';
add_header 'Content-Length' 0;
return 204;
}
How do I go about doing this in Apache? Please provide some preliminary guidance/comments, I will figure out the details after that and improve the question with granular details.
I had the same question and the answer given does not solve the problem.
By looking around more I found you could do this using the rewrite, e.g:
RewriteEngine On
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 [R=200,L]
(make sure you enable the rewrite mod)
Then you should use, the "always set" to set the headers, e.g:
Header always set Access-Control-Allow-Origin "*"
Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS"
Explanations here: https://serverfault.com/questions/231766/returning-200-ok-in-apache-on-http-options-requests
Add this to your .htaccess file to your apache root directory:
Header add Access-Control-Allow-Origin "*"
Header add Access-Control-Allow-Headers "origin, x-requested-with, content-type"
Header add Access-Control-Allow-Methods "PUT, GET, POST, DELETE, OPTIONS"
Make sure to activate the apache module headers:
a2enmod headers
Source: https://stackoverflow.com/a/11691776/1494875
If it helps -
I was using authentication so I also had to add following to make POST request work for me:
<LimitExcept OPTIONS>
Require valid-user
</LimitExcept>
I added the following lines to my .htacces file:
Content-Security-Policy: default-src 'self'
X-Content-Security-Policy: default-src 'self'
X-WebKit-CSP: default-src 'self'
But I always got the following error:
Invalid command 'Content-Security-Policy:', perhaps misspelled or defined by a module not included in the server configuration
I don't get it. Which Apache module do I have to activate? What's wrong with these lines?
Thx,
David
Add those lines into your httpd.conf configuration files, or inside your virtualhost sections, or inside your .htaccess files:
Header unset Content-Security-Policy
Header add Content-Security-Policy "default-src 'self'"
Header unset X-Content-Security-Policy
Header add X-Content-Security-Policy "default-src 'self'"
Header unset X-WebKit-CSP
Header add X-WebKit-CSP "default-src 'self'"
You may also be interested in adding those headers:
Header set X-Content-Type-Options "nosniff"
Header set X-XSS-Protection "1; mode=block"
Header set X-Frame-Options "DENY"
Header set Strict-Transport-Security "max-age=631138519; includeSubDomains"
You have to enable (LoadModule) mod_headers if not already enabled, then restart apache.
I'm not an apache expert, but content security policy is a response header. http://httpd.apache.org/docs/2.2/mod/mod_headers.html
I have meteor behind nginx - nginx is listening to 443. If i set force-ssl to true in meteor, the manual recommends to "set the standard x-forwarded-proto header for the force-ssl package to work."
Does this mean I have add proxy_set_header X-Forwarded-Proto $proxy_add_x_forwarded_for; in my nginx config?
And what exactly does this protect me against when I already have add_header Strict-Transport-Security max-age=31536000; and add_header X-Frame-Options DENY; in my nginx.conf?
Thank you!!!
At the moment meteor behind nginx might not be a good idea if its for multiple meteor instances as they can't share client's state until they release their DDP proxy. But if its a single instance as per the docs you have to set that header in your nginx config.
This only ensures that if meteor is loaded without SSL it forces the browser to use SSL. If you already have a nginx setting that does this for you the force-ssl package won't really do much extra for you.
We want to add X-Frame-Options to all Http responses except some of them (as some pages are supposed to be shown in iframes, and outside of the website). How can this be done?
Solved with adding
Header set X-Frame-Options DENY
....
<LocationMatch "....">
Header unset X-Frame-Options
</LocationMatch>