I have (hopefully) set apache to issue an STS header for all HTTPS traffic as described in How to set HSTS header from .htaccess only on HTTPS
I was hoping to be able to verify that this was working by looking at the response header in chrome dev tools but there doesn't seem to be anything in there related to it:
Is there a way to check that this is functioning correctly? Any help much appreciated.
You can check this is working correctly by looking for the strict-transport-security header in the response headers (in the dev tools where you have taken your screenshot).
If you try the same request you've made with the dev tools with https://accounts.google.com/, for example, you should see an entry like this:
strict-transport-security:max-age=10893354; includeSubDomains
You were already on the right track, but there's probably something wrong with the way you've configured your server.
Related
I run a website on the clearnet using Apache and want the connection to be made via the .onion address when a user uses the clearnet URL in a Tor browser.
I know Facebook uses a standard called HTTP Alternative Service, but I don't know how I should implement it myself in Apache.
I found a solution, however can't verify if it actually works as intended.
One can add the header in the .htaccess file by adding
Header add Alt-Svc: h2="example.onion:80"
to the file.
This does in fact add the Alt-Svc header to the responses, however the standard specifies the URL shown to the user in the browser should remain unchanged, despite the connection actually happening on Alt-Svc.
Thus I have so far unable to verify whether the Tor Browser actually connects on the .onion as intended.
I have included a form which takes user's input and sets a cookie with setcookie php function while processing the form.
This works in one server, but doesn't work on other.
The server in which the cookies isn't working shows some blank httponly cookies in client's browser.
I don't know how to troubleshoot this..I can see form values are successfully being submitted in POST, but I don't know what's happening when it runs setcookie.
And yes, I am setting the cookie in before html and in headers.
My php is custom installation and is of 5.4.45 and httpd version is 2.2.
This was set in my httpd.conf file causing cookie to not work:
Header set Set-Cookie HttpOnly;Secure
I don't know the consequences of disabling it. But I have disabled it anyway temporarily, until I know what they are for.
I need to set a cookie based on a response header (as opposed to a request header). The response header is set by a SOAP call to a backend - and is out of apaches control.
I've looked into SetEnvIf, but it states that it investigate request headers only. mod_rewrite's {HTTP:parm} construct also seems to apply to request headers only.
Request coming in
Response header is generated by backend
Apache investigates respond header FooBar
Apache add Set-Cookie if the respond header FooBar value matches "string"
Any ideas out there?
It looks like this can be done with mod_headers, but unfortunately only with Apache 2.4, since expressions were only added in 2.4. You would do something like:
Header set Set-Cookie "cookie-contents-here" "expr=%{resp:Content-Type} =~ m|application/pdf|"
If you can't upgrade to 2.4, you might consider putting Varnish Cache in front of your Apache install. It's a powerful HTTP processor and can easily handle modifying the response for you. You could also implement caching with it and increase the performance of your site, but it can just be used as a pass-through HTTP processor if you don't want to do that. Perhaps there's a simpler solution but that would work.
Another option could be to put a layer in between Apache and your back-end, such as a PHP script, that handles passing the call to the back-end and modifying the headers on the way back out. Probably not great for performance though; upgrading Apache or implementing Varnish Cache would be better.
If you're using a separate back-end out of Apache's control, then you might take Apache out of the loop completely and go straight from Varnish Cache to your back-end.
Hope the ideas help.
My Question is this
I redirect the form in
Redirect /formviewer/faces/pages/view/viewform.xhtml
///formviewer/faces/pages/view/viewform.xhtml
in Apache Http Server but the form is not redirecting while doing post request from client Side.
So what is it doing?
I rather suspect that its normalising the thing you want to redirect to ///... and considering it the same.
When looking at redirects, there are three things in my list of 'go-to' tools:
curl -I http://..... and look at the response and the Location header. I use this when installing new redirects (it avoids following chained redirects and gives me a better view of what is happening at each step.
Something like Fiddler or a browsers developer tool. Frankly I'd only use this if curl wasn't doing it for me.
Enable the RewriteLog in Apache... I almost never use this, but for your case it may shed some light.
But let's take a step back: why are you wanting to redirect to a path with and extra // prepended (which as I've previously speculated, likely won't work)?
I want to deploy an app using Sinatra on Phusion Passenger w/ nginx. If I want to set the Expires header on my static content - stylesheets, say - there are appear to be three places where I could accomplish this.
In my Sinatra app, using the API
With Rack middleware
In the server config for my deployment
Which of these methods is the best place for setting HTTP headers?
After talking though and answering this question and seeing the comment above, I think I have figured out the answer to my own question.
The whole point of nginx actually removes the first two options.
That leads to Option #3. This is where all the other content config is set, such as gzip compression.