Is there anyway I can use Strict-Transport security - ssl

Is there any way to use a Strict-Transport security header on a site but still have non-ssl sub-domains?

You can just set Strict-Transport-Security header without includeSubDomains. For example if you set Strict-Transport-Security: max-age=31536000 on https://example.com, then browsers won't enforce HTTPS for nonsslsub.example.com.

Related

Azure Webapp x-frame-options defined but Cloudflare seems to add sameorigin

We're hosting a .NET application on a WebApp in Azure. This has a web.config defined where we:
remove x-frame-options
add x-frame-options: ALLOW FROM randomurl.com;
When we directly go to the webapp with the hostname of azurewebsites, we get the correct x-frame-options defined.
However, when we go through Cloudflare, it always seem to add x-frame-options: SAMEORIGIN
Resulting in 2 x-frame-options in the response and probably ignoring our ALLOW since SAMEORIGIN is stricter.
I've checked all possible settings in Cloudflare but I can't find anything that would add this header.
We don't have any HTTP Response Header Modification set.
I don't think any WAF ruleset would automatically add a header.
Anyone has some ideas where to look further or what to test?

Apache X-FRAME OPTIONS

i'm tried to enable X-FRAME only my spasific VH
on httpd-default.conf
i set the line:
Header always append X-Frame-Options SAMEORIGIN
on my website that i need to enable X-FRAME from specific Source:
Header always append X-Frame-Options "ALLOW-FROM https://sites.com"
my main idea it's to block by default X-FRAME
using apache 2.4
thanks
I had a problem using Header always append... (sometimes doesn't works) so I changed to:
Header set X-Frame-Options "ALLOW-FROM https://sites.com"
and it works!
Only remember than Chrome doesn't have support for ALLOW-FROM so it will be ignored and always can pass.
PD: It´s recomended to avoid the use of X-Frame-Options and change to Content Security Policy using frame-src: 'src' https://sites.com 'etc';

Putting hsts headers in apache using htaccess or httpd.conf

I have purchased a ssl certificate recently and have redirected all my traffic on secured https way but i want to get included in hsts preload list. For that reason i want to include hsts header. Is there any way using .htaccess or httpd.conf or if there is another way then please tell me in detail
you can set the hsts header in a .htaccess file:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS
#see How to set HSTS header from .htaccess only on HTTPS for more information
or with php:
header('Strict-Transport-Security: max-age=63072000; includeSubdomains; preload');
Also you can put HSTS header on application side, I mean PHP. Add following code top of your header.php or index.php
<?php header("strict-transport-security: max-age=600");
People who uses shared hosting does not have an access to apache.conf. So proper way to do this is putting it on apache.conf.

Allowing cross origin requests for http and https

My website supports both http and https protocols. However using the code below in .htaccess file, I can only set one domain to allow CORS requests:
Header set Access-Control-Allow-Origin: http://example.com
I want to allow CORS for both http and https versions of my site (not just "*") and tried the solutions here:
Access-Control-Allow-Origin Multiple Origin Domains?
But the problem is that all solutions rely on Origin header in the request which may not exist and also is not secure. (anyone can put a origin header in their request)
I want to know if the request has been served over https and use this info to set the proper CORS header. Something like this:
SetEnvIf servedOverHttps httpsOrigin=true
Header set Access-Control-Allow-Origin: https://example.me env=httpsOrigin
SetEnvIf notServedOverHttps httpOrigin=true
Header set Access-Control-Allow-Origin: http://example.me env=httpOrigin
How can I find out that it's a https request?
Have you tried using HTTPS variable?
It will be set to "on" for all https requests.
Your .htaccess should look like this
Header set Access-Control-Allow-Origin: http://example.com #default
Header set Access-Control-Allow-Origin: https://example.com env=HTTPS #override if https

The site specified an invalid Strict-Transport-Security header - firebug

I am getting this warning in firebug when adding HSTS header.
The site specified an invalid Strict-Transport-Security header.
here is my htaccess
<IfModule mod_headers.c>
Header append X-FRAME-OPTIONS: SAMEORIGIN
Header append Strict-Transport-Security: 'max-age=31536000; includeSubDomains'
</IfModule>
When I remove quotes from the value I get Internal Server Error.
Website is being served through https, redirect from http to https is set from apache's site file. SSL certificate is self-signed, if it matters.
mod headers is enabled. Im on debian 7, apache 2.2.
Thanks
As #jhutar mentioned in comments, similarly in my case as I set up the site on the main domain with trusted SSL certificate the problem disappeared. So, the firebug is showing that error only for self-signed(and/or not-trusted) SSL certificates.