I am trying to set a header using mod_headers in Apache in all cases EXCEPT a certain path. I've tried each of the three variations below to do so, but none of them seem to work properly to exclude the path. In ALL cases I get the header for all requests, including those that match the example path, e.g.: http://example.com/charts/24_hour_commodity/450/300
<VirtualHost *:8200>
...
SetEnvIfNoCase Request_URI "^/charts/.*" frameallow
Header set X-Frame-Options SAMEORIGIN env=!frameallow
...
</VirtualHost>
Or:
<VirtualHost *:8200>
...
Header always set X-Frame-Options SAMEORIGIN
<LocationMatch "^/charts">
Header always unset X-Frame-Options
</LocationMatch>
...
</VirtualHost>
Or
<VirtualHost *:8200>
...
Header always set X-Frame-Options SAMEORIGIN
<Directory "/full/path/to/charts">
Header always unset X-Frame-Options
</Directory>
...
</VirtualHost>
#tried both with and without the 'always' in all configs
Can anyone help me figure out why the header is set in the first example or not unset in the following two? Any one working solution would be enough...
UPDATE:
After reading about order of processing on the Apache site, I tried using conditional blocks instead. Neither of those work either:
<If "%{REQUEST_URI} =~ m#^/charts#">
Header unset X-Frame-Options
</If>
Or
SetEnvIfNoCase Request_URI "^/charts" frameallow
<If "reqenv('frameallow') == 1">
Header unset X-Frame-Options
</If>
So, still broken. Must be something about the Header statements not firing after a certain point in processing. Or the ones int he conditional somehow firing before the main one and being overridden. Cannot find a way to debug it down to the root cause though.
Responses header with expression
Header always set Access-Control-Allow-Origin * "expr=%{REQUEST_URI} =~ m#^/specialPath$#"
this may add header wen the expr = true
http://httpd.apache.org/docs/current/mod/mod_headers.html
at the bottom of the section Header Directive
Related
I'm using Apache 2.4.52 and I have two headers I'd like to fix in my apache config. The problem is only one RequestHeader works at a time.
I can only get 'SOME-TOKEN' RequestHeader working if I comment out or remove SOME-API-KEY from the config.
Note: this problem happens using either method from the code below. Only the SOME_API_KEY header works, in order for SOME-TOKEN header to work, I have to remove the other RequestHeader.
RequestHeader set SOME-API-KEY "expr=%{req:SOME_API_KEY}"
RequestHeader set SOME-TOKEN "expr=%{req:SOME_TOKEN}"
I've also tried this - from here: https://httpd.apache.org/docs/2.4/env.html#examples
The same problem exists, only the SOME-API-KEY RequestHeader works. Again, if I remove SOME-API-KEY RequestHeader, SOME-TOKEN header will begin working as expected.
SetEnvIf ^SOME.API.KEY$ ^(.*)$ fix_some_api_key=$1
RequestHeader set SOME-API-KEY %{fix_some_api_key}e env=fix_some_api_key
SetEnvIf ^SOME.TOKEN$ ^(.*)$ fix_some_token=$1
RequestHeader set SOME-TOKEN %{fix_some_token}e env=fix_some_token
Additional info: This api is a separate vhost using mod_wsgi, I do have WSGIPassAuthorization ON set. I've tried using one RequestHeader in the main apache config, one in the vhost config and both in the virtualhost config to no avail.
Do the cache control directives need to specify if a query string is present in the http request for proper matching?
Currently using query strings for static asset versioning, and disabled Etags for those - but the directives are not taking effect whatsoever. Looking at the headers, Etags are still used and there is no cache-control defined. Gmatrix and Lighthouse both state that static assets have no cache control set.
Example file requested: app.js?v=1.3.5
Here is the .htaccess file, followed by the troubleshooting steps
<IfModule mod_headers.c>
# One month for media files and icons
<FilesMatch "\.(ogg|mp3|ico|jpg|jpeg|png|svg|webp|webmanifest|xml)\?.*$">
Header set Cache-Control "max-age=2592000, public"
Header unset ETag
FileETag None
</FilesMatch>
# One week for CSS/JS files except service worker file
<FilesMatch "^(?!sw).+\.(css|json|js)\?.*$">
Header set Cache-Control "max-age=604800, public"
Header unset ETag
FileETag None
</FilesMatch>
# No cache for HTML files (checks with server for changes else serves cache)
<FilesMatch "\.(html)$">
Header set Cache-Control "no-cache, must-revalidate"
</FilesMatch>
<FilesMatch "^(sw\.js)$">
Header set Cache-Control "no-cache, no-store, must-revalidate"
</FilesMatch>
</IfModule>
Troubleshooting steps
Directives don't seem to affect html pages either so assuming this may be a config or syntax issue.
Check syntax with validator: https://www.lyxx.com/freestuff/002.html
Ensure AllowOverride is set to All in /etc/apache2/sites-available/mysite.conf
Try setting AllowOverride to All in /etc/apache2/apache2.conf for /var/www/
Try adding the directives directly in /etc/apache2/sites-available/mysite.conf
Restart apache after changes: service apache2 restart
The mod_headers module was not activated!
Use apachectl -M to check for active modules (Debian/Ubuntu).
If headers module not listed:
Use a2enmod headers to activate the headers module.
Restart apache2 with service apache2 restart to implement changes.
At this point was able to test whether the query string needs to be added in the FilesMatch expression.
Turns out the query string needs to be omitted from the expression.
Use: \.(js)$
Don't use: \.(js)\?.*$
I am trying to set X-Frame-Options using IBM HTTP Server (IHS) 8.5.5.12 that is based on apache HTTP Server 2.2.32.
I have tried with SetEnvIf but don't have idea about how to compare environment variable in httpd.conf file.
I have tried same in IHS 9 with If condition and it works, but don't have idea about how to implement same in IHS 8.5.5.12
<IfModule mod_headers.c>
<If "%{HTTP:X-Requested-From} == 'mobileapp'">
Header unset X-Frame-Options
</If>
<Else>
Header set X-Frame-Options SAMEORIGIN
</Else>
</IfModule>
Above code works fine in IHS 9, Can some one help here?
Regards
Mohammad Ashfaq
The trick here is that the Header directive can be conditional in Apache 2.2 but only on an environment variable. But SetEnvIf runs first and can set an environment variable based on a request header:
SetEnvIf X-Requested-From mobileapp is_mobile=1
Header set X-Frame-Options SAMEORIGIN
Header unset X-Frame-Options env=is_mobile
$ wget -qS http://localhost 2>&1 |grep X-F X-Frame-Options:
SAMEORIGIN
$ wget -qS --header="X-Requested-From: mobileapp"
http://localhost 2>&1 |grep X-F
$
I did set X-Frame-Options DENY in the apache configuraiton file.
Header always append X-Frame-Options DENY
I can see that the server response contain X-Frame-Options DENY at headers but the iframe on the page is still visible.
What I'm doing wrong?
Best way i've found is to set it under your virtual host and if you're using drupal, make sure your "settings.php" has the following added to it:
$conf['x_frame_options'] = '';
Apache - virtual host set the following at the top of your definition (see below):
<VirtualHost *:80>
DocumentRoot "/var/www/your_site_dir"
SetEnvIf Referer "^.*?\.yourdomain\.(com|net)\.au.*?$" NO_X_FRAME_OPTIONS 1
Header always unset X-Frame-Options env=NO_X_FRAME_OPTIONS
Header set X-Frame-Options "SAMEORIGIN" env=!NO_X_FRAME_OPTIONS
// Rest of config below...
</VirtualHost>
Hope this helps! PS - this will also work with all un-supported browsers.
This option isn't supported by every browser :
IE8+
Opera 10.50+
Safari 4+
Chrome 4.1.249.1042+ (Allow-From not yet supported)
Firefox 3.6.9 (or earlier with NoScript)
Source : http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx
We want to add X-Frame-Options to all Http responses except some of them (as some pages are supposed to be shown in iframes, and outside of the website). How can this be done?
Solved with adding
Header set X-Frame-Options DENY
....
<LocationMatch "....">
Header unset X-Frame-Options
</LocationMatch>