I have a AngularJS app deployed using Yeoman. Cakephp RESTful backend.
The Angular app sends in OPTIONS preflight requests, which the backend responds with forbidden (403), in nginx to solve this problem I have used this:
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, PUT, DELETE';
add_header 'Access-Control-Allow-Headers' 'X-AuthTokenHeader,Authorization,Content-Type,Accept,Origin,User-Agent,DNT,Cache-Control,X-Mx-ReqToken,Keep-Alive,X-Requested-With,If-Modified-Since';
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain charset=UTF-8';
add_header 'Content-Length' 0;
return 204;
}
How do I go about doing this in Apache? Please provide some preliminary guidance/comments, I will figure out the details after that and improve the question with granular details.
I had the same question and the answer given does not solve the problem.
By looking around more I found you could do this using the rewrite, e.g:
RewriteEngine On
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 [R=200,L]
(make sure you enable the rewrite mod)
Then you should use, the "always set" to set the headers, e.g:
Header always set Access-Control-Allow-Origin "*"
Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS"
Explanations here: https://serverfault.com/questions/231766/returning-200-ok-in-apache-on-http-options-requests
Add this to your .htaccess file to your apache root directory:
Header add Access-Control-Allow-Origin "*"
Header add Access-Control-Allow-Headers "origin, x-requested-with, content-type"
Header add Access-Control-Allow-Methods "PUT, GET, POST, DELETE, OPTIONS"
Make sure to activate the apache module headers:
a2enmod headers
Source: https://stackoverflow.com/a/11691776/1494875
If it helps -
I was using authentication so I also had to add following to make POST request work for me:
<LimitExcept OPTIONS>
Require valid-user
</LimitExcept>
Related
How we can edit Apache config file in a Kubernetes environment?
Usually I do edit some security in the .conf for all the headers.
Exemple:
Content-Security-Policy
X-Frame-Options
X-Content-Type-Options
Referrer-Policy
Permissions-Policy
Thank you
I have seen some results from security scans that a client website is not behaving as securely as possible.
The security scan suggests to resolve this, we need to add some add_header directives, e.g:
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options DENY;
add_header Referrer-Policy "strict-origin" always;
In a shared server environment, can I add these to .htaccess?
Affirmative, in environments where you might not have direct control over the Apache server such as in shared hostings you can use .htaccess and enforce headers from there.
Take a look at this:
https://torbjornzetterlund.com/hardening-your-http-response-headers-with-htaccess/
cors problem with apache 2.2.15
i've read serveral posts but i can't find a solution for my problem:
conf.inc for grafana dashboard
<Location /grafana/dashboard/db/smart-meter-fault-management/>
Header always set Access-Control-Allow-Credentials true
Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
Header always set Access-Control-Max-Age "1000"
Header always set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token"
Header always append Access-Control-Allow-Origin: "http://10.17.52.50:18080"
Header always append Access-Control-Allow-Origin: "http://10.17.62.50:18080"
# Header add Access-Control-Allow-Origin: "172.20.16.140"
Order deny,allow
Deny from all
Allow from 10.17.52.50
Allow from 10.17.62.50
Allow from 10.17.62.150
Allow from 10.17.62.250
Allow from 10.17.72.50
Allow from 10.17.72.150
Allow from 10.17.72.250
Allow from 172.19.24.88
Allow from 172.20.6.140
</Location>
error on client
The 'Access-Control-Allow-Origin' header contains multiple values 'http://10.17.52.50:18080, http://10.17.62.50:18080',
but only one is allowed. Origin 'http://10.17.52.50:18080' is therefore not allowed access.
i've seen
Access-Control-Allow-Origin Multiple Origin Domains?
but how can i handle this with ip and not with domain?
regards
I added the following lines to my .htacces file:
Content-Security-Policy: default-src 'self'
X-Content-Security-Policy: default-src 'self'
X-WebKit-CSP: default-src 'self'
But I always got the following error:
Invalid command 'Content-Security-Policy:', perhaps misspelled or defined by a module not included in the server configuration
I don't get it. Which Apache module do I have to activate? What's wrong with these lines?
Thx,
David
Add those lines into your httpd.conf configuration files, or inside your virtualhost sections, or inside your .htaccess files:
Header unset Content-Security-Policy
Header add Content-Security-Policy "default-src 'self'"
Header unset X-Content-Security-Policy
Header add X-Content-Security-Policy "default-src 'self'"
Header unset X-WebKit-CSP
Header add X-WebKit-CSP "default-src 'self'"
You may also be interested in adding those headers:
Header set X-Content-Type-Options "nosniff"
Header set X-XSS-Protection "1; mode=block"
Header set X-Frame-Options "DENY"
Header set Strict-Transport-Security "max-age=631138519; includeSubDomains"
You have to enable (LoadModule) mod_headers if not already enabled, then restart apache.
I'm not an apache expert, but content security policy is a response header. http://httpd.apache.org/docs/2.2/mod/mod_headers.html
We want to add X-Frame-Options to all Http responses except some of them (as some pages are supposed to be shown in iframes, and outside of the website). How can this be done?
Solved with adding
Header set X-Frame-Options DENY
....
<LocationMatch "....">
Header unset X-Frame-Options
</LocationMatch>