How to enable Expect-Ct on apache using .htaccess - apache

i want to enable Expect-Ct on my website.
From searching around i creaded code on my own from searches.
<IfModule mod_headers.c>
Expect-CT: max-age=86400, enforce, report-uri="https://foo.example/report"
</IfModule>
I want to ask if this is right or not and what is report uri ? it can be any random link or something else.
for example my website is testwebsite.com then report uri should be testwebsite.com/report ? and how can i check reports ?

This is a good question; while the general syntax form is explained in the link provided in comments, it doesn't explain how to correctly apply this header in the .htaccess or httpd.conf Apache files.
Through trial and error I found this works:
<IfModule mod_headers.c>
Header set Expect-CT enforce,max-age=2592000,report-uri="https://foo.example/report"
</IfModule>
Note that there should not be any white space in the "data" part.
Also note that the output detected by such things as redbot.org does not show exactly the same thing.

Related

Is it possible to set a header based on the UAGENT in htaccess

Because microsoft internet explorer and microsoft edge don't support content security policy version 2 or, in case of IE, don't support it at all I would like to change the content security policy based on the user agent. This is fairly simple with PHP but I would like to do this with .htaccess file. The question is; is this possible and how. So far I found lots of rewrite rules but no mod_headers doing this.
Searching for something like this:
Header set Content-Security-Policy: ...
<UserAgentMatch "(Edge|Internet Explorer)$">
Header unset Content-Security-Policy
</UserAgentMatch>
Anyone have an idea how I can do this and if its possible?
UPDATE:
The answer of Walf gives an internal server error but after some finetuning resulted in a solution. For those looking for the same see code below.
<If "%{HTTP_USER_AGENT} !~ /(MSIE|Edge)s*/i">
header always set Content-Security-Policy "..."
</If>
Tried setting the header only if it's not those browsers?
<If "%{HTTP_USER_AGENT} !~ /\s+(?:MSIE\s+\d|Edge\/)/">
Content-Security-Policy: ...
</If>

how to block cross frame scripting in Apache for svn

I have SVN configured thru Apache 2.4.18 on Linux 6.6. Next i have to disable cross frame scripting for my svn url. SVN url is like https://servername/svn/projectA. I have compiled mod_security2.so and copied to /modules directory and loaded then in virtualHost have the lines below.
LoadFile /usr/lib64/libxml2.so
LoadFile /usr/lib64/liblua-5.1.so
LoadModule security2_module modules/mod_security2.so
httpd-vhosts.conf
<VirtualHost *:80>
ServerAdmin email#domain.com
DocumentRoot "/var/local/apache/httpd2.4.18/htdocs"
ServerName servername.fqdn.com
# For http to https redirect
Redirect / https://servername
TraceEnable off
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
SecRuleEngine On
#SecFilterEngine On
#SecFilterForceByteRange 32 126
#SecFilterScanPOST On
#SecFilter "<( |\n)*script"
SecRequestBodyAccess On
SecResponseBodyAccess On
ErrorLog "logs/error_log"
CustomLog "logs/access_log" common
</VirtualHost>
The rules that Apache not supported are
SecFilterEngine
SecFilterForceByteRange
SecFilterScanPOST
SecFilter
Blockquote
Instead of SecFilterEngine, its taking SecRuleEngine. But I do not know alternative rule for other rules. I am using modsecurity-2.9.0 source compiled. The error i see is below. [root#server extra]# /var/local/apache/httpd2.4.18/bin/apachectl configtest
AH00526: Syntax error on line 45 of /var/local/apache/httpd2.4.18/conf/extra/httpd-vhosts.conf:
Invalid command 'SecFilterForceByteRange', perhaps misspelled or defined by a module not included in the server configuration. Any one know the mod_security2 supported modules for SecFilterForceByteRange, SecFilterScanPOST and SecFilter. I also read documentation about mod_security but could not figure out and solve the issue. I followed the url below.
http://www.unixpearls.com/how-to-block-xss-vulnerability-cross-site-scripting-in-apache-2-2-x/
[EDIT]
Its solved by adding the header response.
All those unsupported commands are ModSecurity v1 commands and have been completely rewritten for ModSecurity2.
The rule you would want would be something like this:
SecRule ARGS "<( |\n)*script" "phase:2,id:1234,deny"
This basically scans any of your arguments (as parameters or the body) for items like this:
<script
or
< script
or
<
script
That's not a bad start to trying to protect for XSS but is a bit basic.
OWASP has a Core Rule Set of ModSecurity rules and their XSS rules are much more complex and can be seen here: https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/base_rules/modsecurity_crs_41_xss_attacks.conf
XSS can be exploited in a number of ways, some of which will make it to your server (and this sort of thing might catch) and some which might not even make it to your server at all (and so which this can't protect against).
The best way to protect against XSS is to look at Content Security Policy, which allows you to explicitly say what javascript you want to allow on your site, and what not, and to explicitly deny in-line scripts if you want. This may require some clean up of your site to remove inline scripts and is not always the easiest to set up, particularly if loading third party assets and widgets on your site, but is the most robust protection.
The X-Frame-Options header is useful to stop your site being framed, and someone overlaying content to make you think you are clicking on the real site buttons and fields, but actually clicking their buttons. It's not really a form of XSS, since you are more putting scripting on an invisible window on top of your site rather than directly on your site, but can have similar effects. It's a good header to use.

Moving from development to production and FA icons are now squares

Development
Production
I've read a ton of other posts, and 99% of them boil down to path issues. But if you look at my site you can see that it is properly loading the icon file:
Request URL:http://www.blackrhinounion.com/wp-content/themes/Centum/font/fontawesome-webfont.woff2?v=4.3.0
Request Method:GET
Status Code:304 Not Modified
So I'm thinking something else is the culprit here?
(Edit) Attempted in .htaccess:
# Allow access from all domains for webfonts.
# Alternatively you could only whitelist your
# subdomains like "subdomain.example.com".
<IfModule mod_headers.c>
<FilesMatch "\.(ttf|ttc|otf|eot|woff|font.css|css)$">
Header set Access-Control-Allow-Origin "*"
</FilesMatch>
</IfModule>
And it still didn't fix it.
Figured it out.
WP_SITEURL had a www in it, while the WP_HOME didn't. That caused the Cross-Origin issue, removing the www fixed everything.

ModPagespeed domain dynamic url in .htaccess

I'm currently using this snippet of code in my .htaccess for Pagespeed:
<IfModule pagespeed_module>
ModPagespeedDomain cdn.example.com
ModPagespeedMapRewriteDomain cdn.example.com *example.com
</IfModule>
I'd like something like this (Doesn't work):
<IfModule pagespeed_module>
ModPagespeedDomain cdn.%{HTTP_HOST}
ModPagespeedMapRewriteDomain cdn.%{HTTP_HOST} *%{HTTP_HOST}
</IfModule>
I'm looking for a way to keep these variables dynamic so that I don't have to add this by hand per client. I'm also trying to avoid creating a PHP script to do this if there is a way to keep everything in .htaccess. Thanks!
PageSpeed doesn't currently have a way to make this easier for you, sorry! Interpreting %{VARIABLE}s would be a good feature to add.

Selectively configuring Apache 2 mod_headers for Google Chrome Frame

I am currently evaluating Google Chrome Frame and so far i'm happy with it, but what i'd like to do is selectively use it for certain sections of my website.
Some sections require ActiveX so need to be viewed in native IE, whereas others benefit greatly, and may end up requiring, Chrome Frame.
I've currently got the following configured in my apache httpd.conf file -
<IfModule mod_setenvif.c>
<IfModule mod_headers.c>
BrowserMatch chromeframe gcf
Header append X-UA-Compatible "chrome=1" env=gcf
</IfModule>
</IfModule>
This causes anything coming in via Apache to get the chrome frame stuff added to the headers.
What I need is to make this only happen when a user visits particular URL's / particular pages, which i'm currently controlling via RewriteRules.
Could anybody explain how I would go about this, as my understanding of the Apache config files isn't brilliant.
Thanks.