I set this line in a ssl vhost on my server. I am running Apache 2.x
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
This was a major mistake, because now I want to remove it and force users back to http pages sometimes. It was not enabled for very long, but I don't want to lose anyone. If I try to force users back to http pages right now they end up in a redirect loop.
How can I unset or expire HSTS using settings on the server so that when users do visit the site and hit the https version of the site the Strict-Transport-Security setting is removed from their browser and they are able to be redirected to http?
I already know I made a dumb mistake. I learned a lesson and just need to clean it up now.
Figured it out:
NOTE: A max-age value of zero (i.e., "max-age=0") signals the UA to
cease regarding the host as a Known HSTS Host, including the
includeSubDomains directive (if asserted for that HSTS Host).
See also Section 8.1 ("Strict-Transport-Security Response
Header Field Processing").
From the RFC 6797 document.
So, I will just set the following line and leave it for a few months before removing it.
Header always set Strict-Transport-Security "max-age=0; includeSubDomains"
Related
On one of my sites I have Header set Strict-Transport-Security "max-age=31536000" env=HTTPS and this was enough for HSTS to be preloaded but the exact same snippet in my .htaccess file doesn't allow preloading on another site. I've went with Header set Strict-Transport-Security: "max-age=31536000; includeSubDomains; preload" env=HTTPS which fixed the issue but I'm wondering why the shorter version worked and preloaded a the first site but not the second?
Any insight would be appreciated.
why the shorter version worked
The short version couldn't have "worked". It would have been sufficient to implement HSTS, but not to have been accepted for the HSTS preload list.
Something else in your config must have been sending the complete header.
The only way to confirm what is actually going on is to record the HTTP request/response headers being sent on the request, not by the directives in your (.htaccess?) config file.
Even the directive you posted is not necessarily sufficient by itself. You must have something that is setting the HTTPS environment variable (this is not the same as the HTTPS server variable). And if you have canonical redirects from www to non-www (or vice versa) then you are missing the always argument to set the header on the 301 redirect (HTTPS only) - which is also a requirement of the "preload list".
It is far easier and less prone to error to implement HSTS "preload" in the server config. If you only have access to .htaccess then I would be hesitant to go for "preload list" submission.
See also my answer to the following related question on CodeReview SE:
https://codereview.stackexchange.com/questions/250805/hsts-recommendations-in-htaccess
The server response comes with HSTS header, and since I'm using reverse proxy HSTS header is also being sent through proxy response.
Since there are different domains (proxy and server) does HSTS make the browser automatically change the schema from http://proxyhost.com to https://proxyhost.com? or the preload list will call automatically https://serverhost.com when the user will request http://proxyhost.com?
does HSTS make the browser automatically change the schema from http to https
Indeed! and since:
a reverse proxy HSTS header is also being sent through proxy response.
... the configuration of a reverse proxy can involuntarily make your domain set theHSTS header.
Took some while to see why my apache server sets the HSTS header - for I hadn't configured that in the apache web server. It was due to a ReverseProxy: as the foreign domain sets theHSTS header this header comes then (reverse proxy!) with my domain's name. This was then propagated to the client's browser which stores it. Thus, all my domain's sites (and in this case also all my subdomains!) where forced to use https (not when using e.g. curl of course, but firefox, chromium etc.).
Thanks for your question - it was already the perfect direction!
In my case I simply could use aRewriteRule instead of a reverse proxy :) but this of course depends on your scenario.
You also gave the proper answer in your comment:
in this case I should unset HSTS header in the reverse proxy
Right! Just add Header unset Strict-Transport-Security directly after the ProxyPassReverse directive, and you can use a reverse proxy without inherit the HSTS header.
I have purchased a ssl certificate recently and have redirected all my traffic on secured https way but i want to get included in hsts preload list. For that reason i want to include hsts header. Is there any way using .htaccess or httpd.conf or if there is another way then please tell me in detail
you can set the hsts header in a .htaccess file:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS
#see How to set HSTS header from .htaccess only on HTTPS for more information
or with php:
header('Strict-Transport-Security: max-age=63072000; includeSubdomains; preload');
Also you can put HSTS header on application side, I mean PHP. Add following code top of your header.php or index.php
<?php header("strict-transport-security: max-age=600");
People who uses shared hosting does not have an access to apache.conf. So proper way to do this is putting it on apache.conf.
I'm trying to add HSTS headers to every response, across my app.
My first thought was to use mod_headers — I placed this directive in an .htaccess file at the documentroot:
Header set Strict-Transport-Security "max-age=7776000"
This works fine on my local setup using Apache 2.2 and mod_php. All resources respond with the appropriate HSTS header.
My deployment environment uses Apache 2.2 and mod_fastcgi and the above technique works for any resource except php files.
Another SO question had a similar problem, where incoming requests (?) had headers stripped — but I'm concerned about modifying headers of response leaving the server.
How can I add response headers to php resources in the context of an .htaccess file?
According to the docs for mod_headers you probably need to set the optional conditional flag for the header directive.
So in this case, it would become
Header always set Strict-Transport-Security "max-age=7776000"
I am trying to allow some particular domain to access my site via iframe
Header set X-Frame-Options ALLOW-FROM https://www.example.com
I know this could be done by add the line above to the config of Apache server.
Two questions here.
which config file should be added to? The Apache running on both Unix and windows, if not the same file
while enable the all-from, I still want to be able to run some iframe from my own domain. Can I just add the following line after the allow-from?
Header set X-Frame-Options SAMEORIGIN
Or I should just add my own domain in the all-from, ie
Header set X-Frame-Options ALLOW-FROM https://www.example.com, http://www.my-own-domain.example
You can add to .htaccess, httpd.conf or VirtualHost section
Header set X-Frame-Options SAMEORIGIN this is the best option
Allow from URI is not supported by all browsers. Reference: X-Frame-Options on MDN
See X-Frame-Options header on error response
You can simply add following line to .htaccess
Header always unset X-Frame-Options
What did it for me was the following, I've added the following directive in both the HTTP <VirtualHost *:80> and HTTPS <VirtualHost *:443> virtual host blocks:
ServerName example.com
ServerAlias www.example.com
Header always unset X-Frame-Options
Header set X-Frame-Options "SAMEORIGIN"
The reasoning behind this? Well by default if set, the server does not reset the X-Frame-Options header so we need to first always remove the default value, in my case it was DENY, and then with the next rule we set it to the desired value, in my case SAMEORIGIN. Of course you can use the Header set X-Frame-Options ALLOW-FROM ... rule as well.
This worked for me on all browsers:
Created one page with all my javascript
Created a 2nd page on the same server and embedded the first page using the object tag.
On my third party site I used the Object tag to embed the 2nd page.
Created a .htaccess file on the original server in the public_html folder and put Header unset X-Frame-Options in it.
I found that if the application within the httpd server has a rule like "if the X-Frame-Options header exists and has a value, leave it alone; otherwise add the header X-Frame-Options: SAMEORIGIN" then an httpd.conf mod_headers rule like "Header always unset X-Frame-Options" would not suffice. The SAMEORIGIN value would always reach the client.
To remedy this, I add two, not one, mod_headers rules (in the outermost httpd.conf file):
Header set X-Frame-Options ALLOW-FROM http://example.com early
Header unset X-Frame-Options
The first rule tells any internal request handler that some other agent has taken responsibility for clickjack prevention and it can skip its attempt to save the world. It runs with "early" processing. The second rule strips off the entirely unwanted X-Frame-Options header. It runs with "late" processing.
I also add the appropriate Content-Security-Policy headers so that the world remains protected yet multi-sourced JavaScript from trusted sites still gets to run.
you have to enable mod_headers first in your server
sudo a2enmod headers
sudo service apache2 restart