We Keep Coding

403 forbidden while trying to open a webpage on a website from another website

I have hosted a static webpage on Gitlab pages. The URL of the webpage is myname.gitlab.io
I have another website hosted with hostgator which has the URL "mysecondwebsite.com". "mysecondwebsite.com" has thousands of static html pages hosted on the various paths like "mysecondwebsite.com/charts/folder1/1.html", "mysecondwebsite.com/charts/folder1/2.html", "mysecondwebsite.com/charts/folder1/3.html" & so on.
I don't want "mysecondwebsite.com" to be accessible directly nor the pages in it. Hence, I've enabled hotlink protection which works as expected. Now, I also want to allow access to "mysecondwebsite.com" ONLY FROM myname.gitlab.io. This website has list of hyperlinks which when clicked should open anapprpriate page in "mysecondwebsite.com". To achieve this, I've entered the following in .htaccess file on hostgator which isn't helping. I see 403 forbidden
# IP to allow
order allow,deny
deny from all
allow from gitlab.io
Current hotlink protection settings -
# DO NOT REMOVE THIS LINE AND THE LINES BELOW HOTLINKID:r2xGl7fjrh
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?mysecondwebsite.com/.*$ [NC]
RewriteRule .*\.(.*|jpg|jpeg|gif|png|bmp|tiff|avi|mpeg|mpg|wma|mov|zip|rar|exe|mp3|pdf|swf|psd|txt|html|htm|php)$ https://mysecondwebsite.com [R,NC]
# DO NOT REMOVE THIS LINE AND THE LINES ABOVE r2xGl7fjrh:HOTLINKID
I am in no way an expert with web hosting. Please could I get some help to get this working.
UDPATED htaccess
Options All -Indexes
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http(s)?://((myfirstwebsite\.com)|((www\.)?mysecondwebsite\.com))/ [NC]
RewriteRule .* - [F]
HTTP LIVE HEADER DUMP
https://mysecondwebsite.com/charts/thisfolder/thisfile.html
Host: mysecondwebsite.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:98.0) Gecko/20100101 Firefox/98.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Alt-Used: mysecondwebsite.com
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Sec-Fetch-User: ?1
GET: HTTP/2.0 403 Forbidden
cache-control: private, no-cache, no-store, must-revalidate, max-age=0
pragma: no-cache
content-type: text/html
content-length: 699
date: Wed, 06 Apr 2022 07:13:17 GMT
server: LiteSpeed
content-security-policy: upgrade-insecure-requests
alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
X-Firefox-Spdy: h2
---------------------
https://mysecondwebsite.com/favicon.ico
Host: mysecondwebsite.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:98.0) Gecko/20100101 Firefox/98.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Alt-Used: mysecondwebsite.com
Connection: keep-alive
Referer: https://mysecondwebsite.com/charts/thisfolder/thisfile.html
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
GET: HTTP/3.0 404 Not Found
content-type: text/html
last-modified: Mon, 28 Mar 2022 13:48:20 GMT
etag: "999-6241bca4-dfd29bee5117e228;br"
accept-ranges: bytes
content-encoding: br
vary: Accept-Encoding
content-length: 911
date: Mon, 04 Apr 2022 10:11:14 GMT
server: LiteSpeed
content-security-policy: upgrade-insecure-requests
alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
X-Firefox-Http3: h3
---------------------

allow from gitlab.io doesn't work on the http referer header like you seem to be expecting. Rather it works based on the IP address of user making the request.
Instead you want to use something that checks the referer and denies access when it doesn't contain myname.gitlab.io or your own website's host name. You can do that with mod_rewrite by placing the following in your .htaccess file:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http(s)?://((myname\.gitlab\.io)|((www\.)?mysecondwebsite\.com))/ [NC]
RewriteRule .* - [F]
This would allow referrers from your gitlab site, and would then allow those pages to fetch further resources such as images, js, and css. In this rule:
RewriteEngine on - turns on rewrites, this needs to be specified once in your .htaccess and is shared between all the rewrite rules and conditions
RewriteCond - specifies a condition for the next rewrite rule
! says that the following regular expression should be negated (not matched)
^ is the beginning of the regular expression
NC is "no case" meaning that this rule is case insensitive and will work for both upper-case and lower-case input
RewriteRule is the actual rule
.* says that it matches all URLs (in this case the condition specified above it what matters)
- means that there is no destination URL
F says that it should show the "forbidden" status as opposed to redirecting or internally changing the URL.
The problem with this approach is that it will forbid some requests that actually are referred from gitlab. Not all browsers actually send a referer header in all circumstances.

Please could you share what the exception rule script is that you're thinking?
This is just an alternative to #StephenOstermiller's excellent answer...
You could instead keep your existing "hotlink protection" script unaltered, as generated by your control panel GUI (and make any changes through the GUI as required). But include an additional rule before your hotlink protection to make an exception for any domains you need to give access to.
# Abort early if request is coming from an "allowed" domain
RewriteCond %{HTTP_REFERER} ^https://myname\.gitlab\.io($|/)
RewriteRule ^ - [L]
# Normal hotlink-protection follows...
This prevents the hotlink protection from being processed when the request is coming from the allowed domain. So access is permitted.
This does assume you have no other directives that should be processed, following this rule.

Nextcloud : Bad Headers detection

I'm actually encounter a problem with Nextcloud 14 (clean install)
There are some warnings regarding your setup.
Use of the the built in php mailer is no longer supported. Please update >your email server settings ↗.
The "X-XSS-Protection" HTTP header is not set to "1; mode=block". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
The "X-Content-Type-Options" HTTP header is not set to "nosniff". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.
The "Referrer-Policy" HTTP header is not set to "no-referrer", "no-referrer-when-downgrade", "strict-origin" or "strict-origin-when-cross-origin". This can leak referer information. See the W3C Recommendation ↗.
Example
Like you could see above nextcloud explicitly say than i don't have this header correctly configured :
But in my httpd.conf (I Use Arch BTW <3 ) :
Header always set Content-Security-Policy "upgrade-insecure-requests"
Header always set Referrer-Policy "same-origin"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-XSS-Protection "1; mode=block"
Header always set X-content-Type-Options "nosniff"
Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
I don't understand why it's not working, I even tried see which header are used and this header is used :
Request URL: https://cloud.schmitt-etienne.fr/index.php/settings/admin/overview
Request Method: GET
Status Code: 200
Remote Address: [2a01:e34:eeab:eb60:ffff:ffff:ffff:ffff]:443
Referrer Policy: no-referrer
cache-control: no-cache, no-store, must-revalidate
content-length: 27725
content-security-policy: upgrade-insecure-requests
content-type: text/html; charset=UTF-8
date: Wed, 12 Sep 2018 18:22:45 GMT
expires: Thu, 19 Nov 1981 08:52:00 GMT
pragma: no-cache
referrer-policy: same-origin
server: Apache
status: 200
strict-transport-security: max-age=15768000; includeSubDomains; preload
x-content-type-options: nosniff
x-content-type-options: nosniff
x-download-options: noopen
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-powered-by: PHP/7.2.10
x-robots-tag: none
x-xss-protection: 1; mode=block
x-xss-protection: 1; mode=block
:authority: cloud.schmitt-etienne.fr
:method: GET
:path: /index.php/settings/admin/overview
:scheme: https
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
accept-encoding: gzip, deflate, br
accept-language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7
cache-control: max-age=0
cookie:
upgrade-insecure-requests: 1
You could go see my website yourself if you want to see yourself :
If i miss anything I missed I'm happy to hear any comment !
Have a nice day :)

I just found than nextcloud come included with a .htaccess who set his own header, so the headers was send two times and that was the cause :)
Never stop trying and learning !

how to set rules in mod_security module in Apache

Can someone please help me with setting rules such that i get only the data which is being posted using POST. I have a form where i am submitting name and email id. I want to save just that part to be saved in the log file. In my scenario i just want below data in my log file:-
--29000000-C--
name1=ssn&email1=ssn%40gmail.com
--29000000-F--
HTTP/1.1 200 OK
X-Powered-By: PHP/7.2.4
Content-Length: 16
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
My present mod_security looks like:-
<IfModule security2_module>
#Enable the module.
SecRuleEngine On
SecAuditEngine on
#Setup logging in a dedicated file.
SecAuditLog C:/wamp64/bin/apache/apache2.4.33/logs/website-audit.log
#Allow it to access requests body.
SecRequestBodyAccess on
SecAuditLogParts ABIFHZ
#Setup default action.
SecDefaultAction "nolog,noauditlog,allow,phase:2"
#Define the rule that will log the content of POST requests.
SecRule REQUEST_METHOD "^POST$" "chain,allow,phase:2,id:123"
SecRule REQUEST_URI ".*" "auditlog"
</ifmodule>

I found a solution to my question. We can set below field as per our requirement:-
SecAuditLogParts ABIFHZ
In my case i set the field as:-
SecAuditLogParts C
however it will display as:-
--84670000-A--
[29/Aug/2018:14:49:58 +0200] W4aWdqHJuCcOQzTIgCiEqAAAAD8 127.0.0.1 60735 127.0.0.1 80
--84670000-C--
name1=red&email1=red%40yahoo.com
--84670000-Z--

How do I know which access-control-allow-headers to allow for CORS?

Given these request headers:
Host: api.example.org
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:41.0) Gecko/20100101 Firefox/41.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Origin: https://web.example.org
Access-Control-Request-Method: GET
Access-Control-Request-Headers: authorization
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
And these response headers:
Connection: keep-alive
Content-Length: 0
Content-Type: text/plain; charset=utf-8
Date: Tue, 13 Oct 2015 10:57:34 GMT
Server: nginx/1.8.0
access-control-allow-headers: Authorization, Content-Type
access-control-allow-methods: PUT, DELETE, PATCH
access-control-allow-origin: *
This works even though only the Authorization and Content-Type headers are explicitly allowed. Why didn't I have to allow other headers that my browser sends? (like DNT for example)
Update: this MDN page contains an overview of simple headers (default CORS-safelisted request headers):
A simple header (or CORS-safelisted request header) is one of the
following HTTP headers:
Accept
Accept-Language
Content-Language
Content-Type with a MIME type of its parsed value (ignoring parameters) of either application/x-www-form-urlencoded, multipart/form-data, or text/plain.
Or one of these client hint headers:
DPR
Downlink
Save-Data
Viewport-Width
Width

Without seeing your code to generate the headers, or on which system you are serving from, i.e. nginx or apache, the best I can do is refer you to http://client.cors-api.appspot.com/client which will allow you to test your CORS requests. Also, you should look at http://enable-cors.org/server.html for your specific setup. For instance on nginx, you could have something like this
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
There is a set of normal headers, and then the set of headers that you have to explicitly call out. see http://www.html5rocks.com/en/tutorials/cors/#toc-adding-cors-support-to-the-server about setting it up on a server.

The Access-Control-Allow-Headers is attached by backend, you cannot control that header on client side.Access-Control-Allow-Headers should be returned in response object.
So to include other headers into Access-Control-Allow-Headers header in response object - you have to configure your web server or update backend application which serves requests to attach desired value of Access-Control-Allow-Headers to each request.
To allow any headers in your client requests server should add Access-Control-Allow-Origin: * header to each response.
There are a lot of articles and info of how you can setup CORS to work in the way you want. For example that one - Enabling CORS

Apache: Get rid of Keep-Alive entry in the headers list

I'm using LAMP (Linux, Apache, MySQL, PHP) server.
Currently the server sends the response with next Headers list. I want to eliminate Keep-Alive entry for security reasons, to have Headers list without it. Is it possible to prevent sending the Keep-Alive entry in the Headers list?
Current Response Headers:
Cache-Control private, no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Connection Keep-Alive
Content-Encoding gzip
Content-Type text/html; charset=UTF-8
Date Thu, 13 Mar 2014 01:43:49 GMT
Expires Thu, 13 Mar 2014 01:43:49 GMT
Keep-Alive timeout=5, max=200
Last-Modified Thu, 13 Mar 2014 01:43:49 GMT
Pragma no-cache
Server Apache
Transfer-Encoding chunked
Vary Accept-Encoding
X-DNS-Prefetch-Control off
X-Frame-Options sameorigin
Response Headers I Would Like Instead:
Cache-Control private, no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Connection Keep-Alive
Content-Encoding gzip
Content-Type text/html; charset=UTF-8
Date Thu, 13 Mar 2014 01:43:49 GMT
Expires Thu, 13 Mar 2014 01:43:49 GMT
Last-Modified Thu, 13 Mar 2014 01:43:49 GMT
Pragma no-cache
Server Apache
Transfer-Encoding chunked
Vary Accept-Encoding
X-DNS-Prefetch-Control off
X-Frame-Options sameorigin

Is it possible to prevent sending the Keep-Alive entry in the Headers list?
To my knowledge, no. The whole purpose of the Keep-Alive header is to communicate the need for a persistent connection to the client. So getting rid of the headers gets rid of the main form of communication between the client & the server.
That said, you might be able to get it unset by using unset in your Apache config or .htaccess as explained here. I emphasize might since I have had header directives not behave as expected in some versions of Apache. But assuming good faith, first be sure the headers module is enabled. In Ubuntu 12.04 you would do this:
sudo a2enmod headers
And then add this to your Apache config or .htaccess:
<IfModule mod_headers.c>
Header unset Keep-Alive
</IfModule>
Now restart Apache:
sudo service apache2 restart
More details on the header directive are here.

There are a few ways to this in apache:
Server-wide using the KeepAlive directive ( KeepAlive ). However you can not have this in per-directory configuration files, so setting KeepAlive Off will turn off keep alive for the entire server.
Using SetEnv or SetEnvIf with mod_env, and set the nokeepalive environmental variable. This will turn off keepalive for the location where the environmental is set, or the rule that is matched by SetEnvIf (depending with you use). e.g.
can be in HTACCESS
SetEnv nokeepalive 1
Using mod_rewrite to again set the environmental for a specific rule, e.g.
RewriteRule some-file.html - [E=nokeepalive:1]
Using PHP (or any other server site language) and sending the header Connection: close. This will cause Apache to omit the Keep-Alive header, since the connection is no longer keepalive. e.g.
php
header('Connection: close');
Use mod_headers to set the connection header to close again, e.g.
Header set Connection "close"
I personally have not tested the last one, but it should work.

KeepAlive behavior (availability and timeouts) is directly configurable:
http://httpd.apache.org/docs/2.4/mod/core.html#keepalive
Changing this is primarily an aspect of performance rather than security, but you're free to test the implications in your own environment.