I am currently evaluating Google Chrome Frame and so far i'm happy with it, but what i'd like to do is selectively use it for certain sections of my website.
Some sections require ActiveX so need to be viewed in native IE, whereas others benefit greatly, and may end up requiring, Chrome Frame.
I've currently got the following configured in my apache httpd.conf file -
<IfModule mod_setenvif.c>
<IfModule mod_headers.c>
BrowserMatch chromeframe gcf
Header append X-UA-Compatible "chrome=1" env=gcf
</IfModule>
</IfModule>
This causes anything coming in via Apache to get the chrome frame stuff added to the headers.
What I need is to make this only happen when a user visits particular URL's / particular pages, which i'm currently controlling via RewriteRules.
Could anybody explain how I would go about this, as my understanding of the Apache config files isn't brilliant.
Thanks.
Related
I need to modify my localhost page server response (edit headers) - I'm using XAMPP (apache + msql, on linux machine). I can't find how to do that. Maybe some of the programmers/admins know how I can make it happened - share their knowledge and save me time.
If there is any article/link I would use it gladly.
I cannot use live server (my page is a total mess - it working on localhost by miracle...), and the only thing I have installed is xampp, so editing response headers through xampp would be perfect.
Thanks for any directions.
EDIT:
https://www.a2hosting.com/kb/developer-corner/apache-web-server/modifying-http-headers
is not working for me.
<IfModule mod_headers.c>
Header set Test "testing"
</IfModule>
inside of .htaccess
In you .htaccess file (witch should be placed where your index.html is) type:
### add custom header to all server responses from ALL files:
Header add Custom-Header: "parameter=value"
### add custom header to SINGLE file:
<Files someOtherFile.html>
Header add Custom-Header: "parameter=value"
</Files>
I'm using linux, maybe on windows there is something more you should do but remember to restart xampp after editing .htaccess.
i want to enable Expect-Ct on my website.
From searching around i creaded code on my own from searches.
<IfModule mod_headers.c>
Expect-CT: max-age=86400, enforce, report-uri="https://foo.example/report"
</IfModule>
I want to ask if this is right or not and what is report uri ? it can be any random link or something else.
for example my website is testwebsite.com then report uri should be testwebsite.com/report ? and how can i check reports ?
This is a good question; while the general syntax form is explained in the link provided in comments, it doesn't explain how to correctly apply this header in the .htaccess or httpd.conf Apache files.
Through trial and error I found this works:
<IfModule mod_headers.c>
Header set Expect-CT enforce,max-age=2592000,report-uri="https://foo.example/report"
</IfModule>
Note that there should not be any white space in the "data" part.
Also note that the output detected by such things as redbot.org does not show exactly the same thing.
I have SVN configured thru Apache 2.4.18 on Linux 6.6. Next i have to disable cross frame scripting for my svn url. SVN url is like https://servername/svn/projectA. I have compiled mod_security2.so and copied to /modules directory and loaded then in virtualHost have the lines below.
LoadFile /usr/lib64/libxml2.so
LoadFile /usr/lib64/liblua-5.1.so
LoadModule security2_module modules/mod_security2.so
httpd-vhosts.conf
<VirtualHost *:80>
ServerAdmin email#domain.com
DocumentRoot "/var/local/apache/httpd2.4.18/htdocs"
ServerName servername.fqdn.com
# For http to https redirect
Redirect / https://servername
TraceEnable off
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
SecRuleEngine On
#SecFilterEngine On
#SecFilterForceByteRange 32 126
#SecFilterScanPOST On
#SecFilter "<( |\n)*script"
SecRequestBodyAccess On
SecResponseBodyAccess On
ErrorLog "logs/error_log"
CustomLog "logs/access_log" common
</VirtualHost>
The rules that Apache not supported are
SecFilterEngine
SecFilterForceByteRange
SecFilterScanPOST
SecFilter
Blockquote
Instead of SecFilterEngine, its taking SecRuleEngine. But I do not know alternative rule for other rules. I am using modsecurity-2.9.0 source compiled. The error i see is below. [root#server extra]# /var/local/apache/httpd2.4.18/bin/apachectl configtest
AH00526: Syntax error on line 45 of /var/local/apache/httpd2.4.18/conf/extra/httpd-vhosts.conf:
Invalid command 'SecFilterForceByteRange', perhaps misspelled or defined by a module not included in the server configuration. Any one know the mod_security2 supported modules for SecFilterForceByteRange, SecFilterScanPOST and SecFilter. I also read documentation about mod_security but could not figure out and solve the issue. I followed the url below.
http://www.unixpearls.com/how-to-block-xss-vulnerability-cross-site-scripting-in-apache-2-2-x/
[EDIT]
Its solved by adding the header response.
All those unsupported commands are ModSecurity v1 commands and have been completely rewritten for ModSecurity2.
The rule you would want would be something like this:
SecRule ARGS "<( |\n)*script" "phase:2,id:1234,deny"
This basically scans any of your arguments (as parameters or the body) for items like this:
<script
or
< script
or
<
script
That's not a bad start to trying to protect for XSS but is a bit basic.
OWASP has a Core Rule Set of ModSecurity rules and their XSS rules are much more complex and can be seen here: https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/base_rules/modsecurity_crs_41_xss_attacks.conf
XSS can be exploited in a number of ways, some of which will make it to your server (and this sort of thing might catch) and some which might not even make it to your server at all (and so which this can't protect against).
The best way to protect against XSS is to look at Content Security Policy, which allows you to explicitly say what javascript you want to allow on your site, and what not, and to explicitly deny in-line scripts if you want. This may require some clean up of your site to remove inline scripts and is not always the easiest to set up, particularly if loading third party assets and widgets on your site, but is the most robust protection.
The X-Frame-Options header is useful to stop your site being framed, and someone overlaying content to make you think you are clicking on the real site buttons and fields, but actually clicking their buttons. It's not really a form of XSS, since you are more putting scripting on an invisible window on top of your site rather than directly on your site, but can have similar effects. It's a good header to use.
We have files that we serve to a Native Windows OS applications from our server. The files can change every minute so we need to ensure the user is downloading the latest file.
We've found that users on Portable WiFi's tend to get served an older file. So we are changing our servers .htaccess file expirations for certain files.
We serve a custom file type (.ebc) and the files contents are sent over HTTP as plain text. In this case should we use ExpiresByType text/ebc "access 1 minute"?
Will changing .htaccess cache control affect Portable Wifi caching or will this only affect browsers?
Should mod_expires / mode_headers occur code occur before redirects and rewrites? I've discovered before that you should perform certain .htaccess code operations before others (such as place redirects at the top of the file).
Heres my code:
RedirectMatch (?i)^/wp-content/uploads/2014/10/a.exe http://www.website.com/wp-content/uploads/2014/10/b.exe
## EXPIRES CACHING Should we place this before mode_rewrite or after? ##
<IfModule mod_expires.c>
ExpiresActive On
ExpiresByType text/ebc "access 1 minute"
</IfModule>
## EXPIRES CACHING ##
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
There are 3 questions here, so I'll attempt to answer them.
We serve a custom file type (.ebc) and the files contents are sent over HTTP as plain text. In this case should we use ExpiresByType text/ebc access 1 minute
That should be fine, as long as you have the text/ebc mime-type properly set on your server.
Will changing .htaccess cache control affect Portable Wifi caching or will this only affect browsers
I don't really know what "Portable Wifi caching" is. These headers are targeted at browsers only. If a custom application is downloading these files, it could be implementing its own caching and so these headers might get ignored.
Should mod_expires / mod_headers code occur before redirects and rewrites?
I'd put it before the redirects but only from a logical point of view. These are not like RewriteRules and think they get evaluated separately.
Additionally, I'll add that caching is difficult and once a file has left your server it can be hard to force an update. Different browsers behave different ways and I've come across configurations that work one place and not another.
I would additionally consider two other approaches to what you're attempting.
Firstly, don't cache your files at all:
<FilesMatch "\.ebc$">
Header set Cache-Control no-cache
Header set pragma no-cache
</FilesMatch>
Secondly think about implementing a cache-busting mechanism. If the file is linked from somewhere, try and make sure that link is changed (normally a querystring with a timestamp suffices) each time the file changes. You obviously then need to make sure whatever contains the link also isn't being cached.
An easier solution I used in the past was adding a parameter to the downloadable files.
For example, if the file you're serving is
http://www.domain.tld/file.pdf
then you can create the following link:
http://www.domain.tld/file.pdf?d486dFyg
The question mark and whatever comes after it (random) will be ignored but it will guarantee that the user will always download the latest version, as the URL will be different (because of the random always being different of course).
The downloaded file on the user's computer will just be file.pdf so absolutely no downside.
EDIT: I noticed some reference to WordPress in your question, which is PHP, so you can use the rand() function to append the random part: http://php.net/manual/en/function.rand.php
I've been having issues with displaying PDF documents in IE. Other browsers (Chrome, firefox, etc.) are all OK but IE is no good. So my solution is to force the PDF download for IE users ONLY with modifications to the .htaccess file. I have it currently set up to force the PDF download on all browsers, however I want chrome/firefox/etc. users to have the PDF displayed in browser.
Here is my current .htaccess rules:
<FilesMatch "\.(?i:pdf)$">
SetEnvIf Request_URI "\.pdf$" requested_pdf=pdf
Header add Content-Disposition "attachment" env=requested_pdf
</FilesMatch>
Is there a way to utilize BrowserMatch to only set this header when in IE? Or is there another solution using another method? I've had no luck so far.
Thank you in advance!
CentOS | Apache | PHP
Try this in your .htaccess file
SetEnvIf Request_URI ".pdf$" requested_pdf=pdf
Header add Content-Disposition "attachment" env=requested_pdf