I am using https://hstspreload.org to test the status of HTTP to HTTPS redirect and HSTS. I receive the following error message:
HTTP redirects to a page without HSTS
http://example.com redirects to https://example.com/, which does not serve a HSTS header that satisfies preload conditions.
Here are the contents of my .htaccess file:
###
# force HTTPS
###
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} !=on [NC]
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>
###
# HSTS
###
<IfModule mod_headers.c>
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS
Header always set Cache-Control "no-store, no-cache, must-revalidate"
</IfModule>
From this blog post I read that:
... that redirect must have the HSTS header, not the page it redirects to.
I am not sure what rules should I add or modify in order to fulfill this condition. If someone knows, based on the information I have provided, what ruling should I add or modify in my .htaccess file to have HSTS header in the redirect as well?
Related
After switching to https and adding following lines to .htaccess
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
Everything seems to be working fine - even if someone type http://mywebsite.com will be redirected to https://.
However, as per my understanding, HSTS should also enforce all content to be loaded via https if possible. Unfortunately, every now and then if someone makes a mistake and load some image (hosted on the same domain) via http:// instead of https:// Chrome will show a mixed content warning.
Did I make some mistake or my understanding of HSTS is wrong?
I have 2 projects, one is a PHP web API with the following .htaccess:
Header add Access-Control-Allow-Origin "http://app.domain.com"
Header add Access-Control-Allow-Headers "origin, x-requested-with, content-type"
Header add Access-Control-Allow-Methods "PUT, GET, POST, DELETE, OPTIONS"
Header always set Access-Control-Allow-Credentials true
RewriteEngine on
RewriteCond %{SCRIPT_FILENAME} !-f
RewriteCond %{SCRIPT_FILENAME} !-d
RewriteCond %{SCRIPT_FILENAME} !-l
RewriteRule ^(.*)$ index.php/$1
Note the Access-Control-Allow-Origin header which contains the base URL of the second project (an angularjs application).
This does work, however I'd like to change the origin to * if both projects are being run on localhost, so that every developer within this project can simply test changes without deploying first.
How can I achieve this?
We do not want to use a separate .htaccess for local tests. We prefer to use a single one.
Are you searching for this ?
replace "Error Document" with "Acces control"
https://www.html-seminar.de/forum/thread/4027-if-abfrage-in-htaccess-unterscheiden-zwischen-localhost-xampp-und-webserver/
# Localhost / XAMPP
<IfModule mod_win32.c>
ErrorDocument 403 http://localhost/phip/www/404.html
ErrorDocument 404 http://localhost/phip/www/404.html
</IfModule>
# Webserver
<IfModule !mod_win32.c>
ErrorDocument 403 http://***/404.html
ErrorDocument 404 http://***/404.html
</IfModule>
My shared host offers shared SSl certificate like the following:
https://host###.HostMonster.com/~username
Where host### is the hosting server for my account there.
I use CakePHP app on the root of public_html where I have public_html/webroot path and I use the following .htaccess settings on public_html:
# Turn off the ETags
Header unset ETag
FileETag None
# Turn off the Last Modified header except for html docs
<FilesMatch "\.(ico|pdf|flv|jpg|jpeg|png|gif|js|css|mp3)$">
Header unset Last-Modified
</FilesMatch>
<FilesMatch "\.(ico|pdf|flv|jpg|jpeg|png|gif|js|css|swf|mp3)$">
Header set Expires "Thu, 15 Jan 2015 20:00:00 GMT"
</FilesMatch>
<FilesMatch "\.(ico|pdf|flv|jpg|jpeg|png|gif|js|css|swf|mp3)$">
Header set Cache-Control "max-age=31449600"
</FilesMatch>
# Use PHP5.3 as default
AddHandler application/x-httpd-php54 .php
Redirect /Hosting/Q/ http://sub.mydomain.net/
<IfModule mod_rewrite.c>
RewriteEngine on
#RewriteCond %{HTTPS} =on
#RewriteBase /~twoindex/
RewriteRule ^$ webroot/ [L]
RewriteRule (.*) webroot/$1 [L]
</IfModule>
AddType audio/mpeg mp3
AddType text/xml xml
When I try to access https://host15.HostMonster.com/~myuser where host15 is my host server, I got 404 error.
I tried the following:
Creating a simple html file and placing it on public_html and then accessing it using https://host15.HostMonster.com/~myuser/simple.html. It also returns 404 error.
I tried to comment out the two lines after RewriteEngine on but no success too.
Removing the contents of the .htaccess file i.e making it empty, allowed me to access simple.html via https successfully.
The last try, is not a real option for me because it will destroy my CakePHP application. However, it approved that it is a problem related with rewriting rules in the .htaccess. So, I need to know how to modify the .htaccess to allow accessing my CakePHP application while allowing accessing the simple.html or better a sub directory on public_html
Update
I tried the following rule, but it ended with the error This webpage has a redirect loop when I try to access https://host15.HostMonster.com/~myuser/folder and it keeps everything fine for the CakePHP application.:
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_HOST} ^host15\.HostMonster\.com [NC]
RewriteRule ^(.*)$ /~myuser/$1 [R,L]
RewriteRule ^$ webroot/ [L]
RewriteRule (.*) webroot/$1 [L]
</IfModule>
I have the below configurations set up in a .htaccess file.
Instead of hard-coding the domain name (domain.com), can I use the domain of the current request and prevent hard-coding of the domain name?
Also, is that safe? Hard-coding guarantees the correct domain of course, but I'm trying to think if the 'grab current domain name' method might cause other issues (especially with the first two examples below).
# Allow cross-domain requests
#
SetEnvIf Origin "^http(s)?://(.+\.)?(domain\.com)$" origin_is=$0
Header add Access-Control-Allow-Origin %{origin_is}e env=origin_is
Header add Access-Control-Allow-Credentials: true
# CSP
#
Header set Content-Security-Policy "default-src 'none'; connect-src http://domain.com https://domain.com;"
# Set domain name as a variable
#
RewriteRule .* - [E=domain_name:domain.com]
# Redirect non-secure (HTTP) traffic to secure (HTTPS)
#
RewriteCond %{ENV:HTTPS} !on [NC]
RewriteRule ^(.*)$ https://%{ENV:domain_name}/$1 [R=301,L]
You can just use %{HTTP_HOST} env variable which is already populated by Apache.
RewriteCond %{ENV:HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
I'm redoing an entire website and the browser is using the cached index.html of pages that are at the same URL.
This is the entire content of the .htaccess file in one of the problem directories:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /products/
# Remove 'index.html' from the URL for old links that include it.
RewriteCond %{THE_REQUEST} ^.*\index\.html?\ HTTP/
RewriteRule ^(.*)index\.html?$ "/products/$1" [R=301,L]
# Use index.php for all requests.
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^ /products/index.php [L]
</IfModule>
# An atempt to tell the browser not to use a cached .html file.
ExpiresActive on
ExpiresByType text/html "access plus 0 seconds"
<FilesMatch "\.(html)$">
Header set Cache-Control "private, must-revalidate"
</FilesMatch>
I've tried multiple things here, but nothing is working. This is all I see in the headers:
Request URL:http://www.example.com/products/
Request Method:GET
Status Code:200 OK (from cache)
There are no Request Headers or Response Headers.
I'm thinking I can maybe try a RewriteRule to add something like ?28032012 to the end of something, but I don't know how to even attempt that.
I've read that appending ?version=<%=version%> to problematic file names is a good method of cache busting. You may also try as an easier solution the http header "cache-control: max-age = 600" so that anything on the page that is 10 minutes or older is pulled from the server.
You can just append /? to the end of your URL.
Example:
www.google.com/?
The solution I ended up using for this was to redirect all www requests to non www requests. So basically, this approach prevented any browsers from using any cached resources because the www version of the site no longer exists.
This is worked for me.
<IfModule mod_headers.c>
Header set Cache-Control "no-cache, no-store, must-revalidate"
Header set Pragma "no-cache"
Header set Expires 0
</IfModule>
Reference: https://wp-mix.com/disable-caching-htaccess/