How we can edit Apache config file in a Kubernetes environment?
Usually I do edit some security in the .conf for all the headers.
Exemple:
Content-Security-Policy
X-Frame-Options
X-Content-Type-Options
Referrer-Policy
Permissions-Policy
Thank you
using securityheaders.io website, I can't get referrer policy header recognized in apache .htaccess.
This is my code in htaccess
<IfModule mod_headers.c>
Header set Referrer-Policy "no-referrer"
</IfModule>
The site still says missing referrer policy. Is this not the right code to use?
You must add like this in your htaccess file
Header always set Referrer-Policy "same-origin"
Referrer-Policy: no-referrer
Referrer-Policy: no-referrer-when-downgrade
Referrer-Policy: origin
Referrer-Policy: origin-when-cross-origin
Referrer-Policy: same-origin
Referrer-Policy: strict-origin
Referrer-Policy: strict-origin-when-cross-origin
Referrer-Policy: unsafe-url
Referrer-Policy: same-origin is usally recommended.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
This worked for me:
Header always set Referrer-Policy "no-referrer"
cors problem with apache 2.2.15
i've read serveral posts but i can't find a solution for my problem:
conf.inc for grafana dashboard
<Location /grafana/dashboard/db/smart-meter-fault-management/>
Header always set Access-Control-Allow-Credentials true
Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
Header always set Access-Control-Max-Age "1000"
Header always set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token"
Header always append Access-Control-Allow-Origin: "http://10.17.52.50:18080"
Header always append Access-Control-Allow-Origin: "http://10.17.62.50:18080"
# Header add Access-Control-Allow-Origin: "172.20.16.140"
Order deny,allow
Deny from all
Allow from 10.17.52.50
Allow from 10.17.62.50
Allow from 10.17.62.150
Allow from 10.17.62.250
Allow from 10.17.72.50
Allow from 10.17.72.150
Allow from 10.17.72.250
Allow from 172.19.24.88
Allow from 172.20.6.140
</Location>
error on client
The 'Access-Control-Allow-Origin' header contains multiple values 'http://10.17.52.50:18080, http://10.17.62.50:18080',
but only one is allowed. Origin 'http://10.17.52.50:18080' is therefore not allowed access.
i've seen
Access-Control-Allow-Origin Multiple Origin Domains?
but how can i handle this with ip and not with domain?
regards
I have a AngularJS app deployed using Yeoman. Cakephp RESTful backend.
The Angular app sends in OPTIONS preflight requests, which the backend responds with forbidden (403), in nginx to solve this problem I have used this:
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, PUT, DELETE';
add_header 'Access-Control-Allow-Headers' 'X-AuthTokenHeader,Authorization,Content-Type,Accept,Origin,User-Agent,DNT,Cache-Control,X-Mx-ReqToken,Keep-Alive,X-Requested-With,If-Modified-Since';
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain charset=UTF-8';
add_header 'Content-Length' 0;
return 204;
}
How do I go about doing this in Apache? Please provide some preliminary guidance/comments, I will figure out the details after that and improve the question with granular details.
I had the same question and the answer given does not solve the problem.
By looking around more I found you could do this using the rewrite, e.g:
RewriteEngine On
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 [R=200,L]
(make sure you enable the rewrite mod)
Then you should use, the "always set" to set the headers, e.g:
Header always set Access-Control-Allow-Origin "*"
Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS"
Explanations here: https://serverfault.com/questions/231766/returning-200-ok-in-apache-on-http-options-requests
Add this to your .htaccess file to your apache root directory:
Header add Access-Control-Allow-Origin "*"
Header add Access-Control-Allow-Headers "origin, x-requested-with, content-type"
Header add Access-Control-Allow-Methods "PUT, GET, POST, DELETE, OPTIONS"
Make sure to activate the apache module headers:
a2enmod headers
Source: https://stackoverflow.com/a/11691776/1494875
If it helps -
I was using authentication so I also had to add following to make POST request work for me:
<LimitExcept OPTIONS>
Require valid-user
</LimitExcept>
We want to add X-Frame-Options to all Http responses except some of them (as some pages are supposed to be shown in iframes, and outside of the website). How can this be done?
Solved with adding
Header set X-Frame-Options DENY
....
<LocationMatch "....">
Header unset X-Frame-Options
</LocationMatch>