handle multiple domains with Access-Control-Allow-Origin header in Apache - apache
I want to configure apache for cross-domain access header. I have tried multiple combination as suggested on number of threads on the forum. But its not working for me.
The ways, I have tried:
1) Specify domain on different line as below with Header set :
Header set Access-Control-Allow-Origin "example1.com"
Header set Access-Control-Allow-Origin "example2.com"
Header set Access-Control-Allow-Origin: "example3.com"
With this setup its picking only last one and ignore rest of all.
2) Specify domain on different line as below with Header add :
Header add Access-Control-Allow-Origin "example1.com"
Header add Access-Control-Allow-Origin "example2.com"
Header add Access-Control-Allow-Origin: "example3.com"
With this its showing all three domains in header, but fonts are not getting picked up on Firefox.
3.) Tried Using SetEnvIf, but again its not working :
SetEnvIf Origin "http(s)?://(www\.)?(mydomain.com|mydomain2.com)$" AccessControlAllowOrigin=$0$1
Header add Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
Finally working with "*", but I don't want to use this.
Please help with this.
For 3 domains, in your .htaccess:
<IfModule mod_headers.c>
SetEnvIf Origin "http(s)?://(www\.)?(domain1.org|domain2.com|domain3.net)$" AccessControlAllowOrigin=$0$1
Header add Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
Header set Access-Control-Allow-Credentials true
</IfModule>
I've tried this and it works for me. Let me know if it doesn't for you.
Unless I'm misunderstanding the manual, it should be:
Header always append Access-Control-Allow-Origin: "example1.com"
Header always append Access-Control-Allow-Origin: "example2.com"
Header always append Access-Control-Allow-Origin: "example3.com"
The manual states that the set and add actions behave in the following way:
set: "The response header is set, replacing any previous header with this name"
add: "...This can result in two (or more) headers having the same name. This can lead to unforeseen consequences..."
To restrict access to certain URIs checkout these docs:
CrossOriginRequestSecurity
Server-Side Access Control#Apache_examples
One helpful trick is to use an Apache rewrite, environment variable, and headers to apply Access-Control-Allow-* to certain URIs. This is useful, for example, to constrain cross-origin requests to GET /api(.*).json requests without credentials:
RewriteRule ^/api(.*)\.json$ /api$1.json [CORS=True]
Header set Access-Control-Allow-Origin "*" env=CORS
Header set Access-Control-Allow-Methods "GET" env=CORS
Header set Access-Control-Allow-Credentials "false" env=CORS
Also, in general, according to W3 Wiki - CORS Enabled#For_Apache
To expose the header, you can add the following line inside Directory, Location, and Files sections, or within an .htaccess file.
<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin "*"
</IfModule>
AND, you can use add rather than set, but be aware that add can add the header multiple times, so it's generally safer to use set.
Try this one, it works for me.
Apply in .htaccess:
SetEnvIf Origin "^http(s)?://(.+\.)?(domain\.org|domain2\.com)$" origin_is=$0
Header always set Access-Control-Allow-Origin %{origin_is}e env=origin_is
Will be work 100%, Apply in .htaccess:
# Enable cross domain access control
SetEnvIf Origin "^http(s)?://(.+\.)?(domain1\.com|domain2\.org|domain3\.net)$" REQUEST_ORIGIN=$0
Header always set Access-Control-Allow-Origin %{REQUEST_ORIGIN}e env=REQUEST_ORIGIN
Header always set Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
Header always set Access-Control-Allow-Headers "x-test-header, Origin, X-Requested-With, Content-Type, Accept"
# Force to request 200 for options
RewriteEngine On
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule .* / [R=200,L]
For Apache 2.4, I have used SET command for the Apache web server to set Header dynamically.
<IfModule mod_deflate.c>
# CORS
SetEnvIfNoCase Origin "http(s)?://(\w+\.)?(example.com|localhost)(:[0-9]+)?$" AccessControlAllowOrigin=$0
Header set Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
Header set Access-Control-Allow-Credentials true
</IfModule>
ADD command didn't work for me.
I am using this in my .htaccess file for allowing access to multiple domains
<ifModule mod_headers.c>
SetEnvIf Origin "http(s)?://(localhost:25120|domain.com|domain2.com)$" AccessControlAllowOrigin=$0
Header add Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
Header always set Access-Control-Allow-Methods: "GET,POST,OPTIONS,DELETE,PUT"
</ifModule>
For Multiple domains, in your .htaccess:
<IfModule mod_headers.c>
SetEnvIf Origin "http(s)?://(www\.)?(domain.com|domain.online|domain.in|domain.net|domain.site|domain.website|domain.space)$" AccessControlAllowOrigin=$0
Header set Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
Header set Access-Control-Allow-Credentials true
</IfModule>
it 100% works for me
This works for me in Classic ASP:
If Request.ServerVariables("HTTP_ORIGIN") = "http://domain1.com" Then
Response.AddHeader "Access-Control-Allow-Origin","http://domain1.com"
ElseIf Request.ServerVariables("HTTP_ORIGIN") = "http://domain2.com" Then
Response.AddHeader "Access-Control-Allow-Origin","http://domain2.com"
'and so on
End If
Related
Disable Access-Control-Allow-Origin from apache or htaccess
In my local machine when I try to send a request via ajax using cross domain the request doesn't complete. I added this options to my .htaccess file:
Header always set Access-Control-Allow-Origin "https://accepted-domain"
Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
Header always set Access-Control-Max-Age "1000"
Header always set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token"
RewriteEngine On
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 [R=200,L]
After that, everything worked just fine but when I uploaded this to my cPanel server the request didn't complete.
However, if I remove these lines from the .htaccess file everything works just fine.
The question is: How to disable this Access-Control-Allow-Origin in my cPanel host to define it with the domain I want to accept only ?
UPDATED
When I sent the request on my cPanel hosting the response was this message:
Failed to load http://receiver-domain.com/create.php: The 'Access-Control-Allow-Origin' header contains multiple values '*, *', but only one is allowed. Origin 'http://sender-domain.com' is therefore not allowed access.
Which means the Access-Control-Allow-Origin has been set somewhere else.
Adding multiple domain/URL in Header set X-Frame-Options "ALLOW-FROM "
I want to add multiple domains/URL in Header set X-Frame-Options "ALLOW-FROM " (eg: Header set X-Frame-Options "ALLOW-FROM http://xyz, http://abc") in httpd.conf file . But I am unable to add 2 domains/URL as specified above. My requirement is the the X-Frame contents should be displayed only if the page is accessed from 2 different domains. So obviously I cannot give SAMEORGIN. Please specify any alternate solutions to add 2 domains/URL in X-Frame-Options.
Add this to your apache configuration: <IfModule mod_headers.c> Header set Content-Security-Policy "frame-ancestors http://*.example.com/ 'self';" # For IE 11 and below Header set X-Frame-Options SAMEORIGIN Header append X-Frame-Options "ALLOW-FROM http://example.com/" </IfModule>
Apache X-Frame-Options Allow-From multiple domains
I got a error when i using x-frame headers option with apache. Header always append X-Frame-Options ALLOW-FROM site1,site2,site3 or Header always append X-Frame-Options ALLOW-FROM=site1,site2,site3 or Header always append X-Frame-Options ALLOW-FROM=site1 Header always append X-Frame-Options ALLOW-FROM=site2 Header always append X-Frame-Options ALLOW-FROM=site3 How could i set the X-Frame-Options: ALLOW-FROM to support more than a single domain? Thanks!
It's worth noting that ALLOW-FROM is being removed from Firefox 70, and other browsers are likely to follow. You will want to use CSP's frame-ancestors directive instead, which is supported in about 95% of browsers. Your example would then be: Header always append Content-Security-Policy "frame-ancestors site1 site2 site3;" EDIT: frame-ancestors overwrites X-FRAME-OPTIONS in new browsers, so theroetically you could set a value for old browsers in there and have CSP overwrite it in new browsers, but the problem is that there is no X-FRAME-OPTIONS value that will let you be embedded in multiple webpages. The only valid options are deny (not allowed anywhere), sameorigin (your website only) and allow-from (removed from modern browsers, only allowed one site anyway). The old X-FRAME-OPTIONS value that you want to overwrite is none at all. That will allow you to embed your site in multiple other sites (all of them) and restrict it to the sites you allow in modern browsers. If not embedding in disallowed sites is more important than embedding in allowed sites, then combine the above with: Header always append X-Frame-Options "DENY" That will prevent your site being embedded in all sites in about 3% of browsers, shown only in the allowed sites in 95% of browsers, and shown everywhere in the remaining 2% (even X-FRAME-OPTIONS isn't supported everywhere).
EDIT 17/01/2018 : This is what is correct : Header set X-Frame-Options SAMEORIGIN Header append X-Frame-Options "ALLOW-FROM http://www.example.com/" Header append X-Frame-Options "ALLOW-FROM http://example.com/" Header append X-Frame-Options "ALLOW-FROM https://www.example.com/" Header append X-Frame-Options "ALLOW-FROM https://example.com/" So basicaly you only allow iframes from your site (SAMEORIGIN) and you specify with an "append" a list of allowed url. if you don't add the "append" each line will overwrite the previous one. This actually works with internet explorer 11, doesn't work in Firefox 57, and is ignored by Chrome... testing with https://securityheaders.io will not give you a "A" because they can't handle multiple uri We couldn't detect a valid configuration. Expected values are "DENY", "SAMEORIGIN", "ALLOW-FROM (URL)" and "ALLOWALL". Another possibility which seems to work in IE11 and Firefox is : Header always set X-Frame-Options "ALLOW-FROM https://www.example.fr/ https://example.fr/ http://www.example.fr/ http://example.fr/" It gives a "A" when you check the result with https://securityheaders.io By the way i'm wondering what's the point of using a security setting that you can bypass using the most used browser in the world (Chrome) ??
SetEnvIf Referer "^(https:\/\/.*\.example1\.com)/.*" X_FRAME_OPTIONS_ALLOWED=$1
SetEnvIf Referer "^(https:\/\/.*\.example2\.com)/.*" X_FRAME_OPTIONS_ALLOWED=$1
Header set X-Frame-Options SAMEORIGIN
Header append X-Frame-Options "ALLOW-FROM %{X_FRAME_OPTIONS_ALLOWED}e" env=X_FRAME_OPTIONS_ALLOWED`
Since the support for ALLOW-FROM is varying in both implementation and support across browsers I tried the following solution which either sets SAMEORIGIN or conditionally removes X-Frame-Options altogether. Tried on apache-2.4. # Set X-Frame-Options SAMEORIGIN _unless_ the referer is any of my allowed sites. # Add one or more SetEnvIf - whatever suits your purpose # This part you MUST adapt. # ALLOW https://my.allowed.site.com SetEnvIf Referer "^https:\/\/my\.allowed\.site\.com\/.*" X_FRAME_OPTIONS_ALLOWED # ALLOW https://mysite.tld.com and https://yoursite.tld.com SetEnvIf Referer "^https:\/\/(mysite|yoursite)\.tld\.com\/.*" X_FRAME_OPTIONS_ALLOWED # ALLOW https://mysite.tld.com and https://yoursite.theother.org SetEnvIf Referer "^https:\/\/(mysite\.tld\.com|yoursite\.theother\.org)\/.*" X_FRAME_OPTIONS_ALLOWED # Set X-Frame-Options = SAMEORIGIN _unless_ the referer is in the allow list. Header always set X-Frame-Options SAMEORIGIN env=!X_FRAME_OPTIONS_ALLOWED # Always _unset_ X-Frame-Options if the referer is in the allow list. Header always unset X-Frame-Options env=X_FRAME_OPTIONS_ALLOWED You could either add multiple SetEnvIf or expand the regex - YMMV. Your colleagues will love your for making things readable...
Header always append X-Frame-Options ALLOW-FROM=site1 Header always append X-Frame-Options ALLOW-FROM=site2 Header always append X-Frame-Options ALLOW-FROM=site3 This way is OK. But I got an error when i first using it. Maybe i make a wrong character.
EDIT 17/01/2018 : This solution below is not correct, as the setting on each line is overwriting the previous one. so you only allow http://example.com/ Finaly i found the correct syntax for that. According to this site : https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options Header set X-Frame-Options "ALLOW-FROM https://example.com/" This worked for me : Header always set X-Frame-Options "ALLOW-FROM https://www.example.com/" Header always set X-Frame-Options "ALLOW-FROM https://example.com/" Header always set X-Frame-Options "ALLOW-FROM http://www.example.com/" Header always set X-Frame-Options "ALLOW-FROM http://example.com/"
The specification for X-Frame-Options only specifies to use one of DENY, SAMEORIGIN and ALLOW-FROM (https://www.rfc-editor.org/rfc/rfc7034#section-2.1). Some browsers may support multiple ALLOW-FROM, but many browsers don't support ALLOW-FROM at all. Your best option is to implement the Content-Security-Policy header with the frame-ancestors directive. This allows multiple URIs to be configured and is understood by most browsers but IE and Edge 14 and below. For IE and Edge 14 support you can also set the X-Frame-Options with ALLOW-FROM. If you create a whitelist of values you may be able to set the ALLOW-FROM URI based on the referrer. It doesn't hurt to set both headers. Browsers that understand Content-Security-Policy frame-ancestors will ignore X-Frame-Options and those that don't understand frame-ancestors will ignore it and use X-Frame-Options if available. Combining https://caniuse.com/#search=csp and https://caniuse.com/#search=x-frame-options this will work for all browsers except "UC Browser for Android"
Apache - Add Cache-Control header if not already added
In Apache, how can I set a Response Header only if it is not already set by the CGI application? I need a way to automatically add the Cache-Control header to static content on my website, but I want the CGI application to be able to specify its own Cache-Control header too. SetEnvIf will not work for this purpose because it only matches Request Headers. Is there some way to conditionally / optionally set a header if it is not already set?
1) Configure Apache to append the value of empty string ("") to the Cache-Control header to ensure the header is always included in the response.
2) Configure Apache to set the Cache-Control header only if it's still set to empty string.
<FilesMatch "\.(css|ico|flv|gif|jpeg|jpg|js|pdf|png|swf)$">
Header append Cache-Control ""
Header edit Cache-Control "^[, ]*$" "max-age=1800, public"
</FilesMatch>
How to use the SetEnvIf in this situation?
I try to put a X-FRAME-OPTIONS to the http header to prevent the Clickjacking attack. If I set the header in the httpd.conf or .htaccess file like this, it works. Header set X-Frame-Options SAMEORIGIN But there are several places that using the iFrame on my own website, if I do this, it will also block the iFrame on my own website. So I try to add a exception for my own website. Check if the request is from my own website, then allow the iFrame on the page. I tried this, but it didn't work. SetEnvIf Host http://myownwebsite\.com iframes_are_cool Header set X-Frame-Options SAMEORIGIN env=!iframes_are_cool Could someone help me with this?
SetEnvIf is not as flexible so I recommend to use simply the // sections. Give the below a try:
<If "! %{HOST} =~ /http://myownwebsite\.com/">
Header set X-Frame-Options SAMEORIGIN
</If>