Referrer-Policy with PHP and htaccess - php

is there any way to overwrite the header referrer policy using htaccess or PHP?
HTML Code :
<meta name="referrer" content="origin">
Is any way to do same with htaccess or PHP? i tried these code from How to set Firefox referrer to "no-referrer" using PHP Referrer-Policy?
I tried (PHP) :
header("Referrer-Policy: origin");
With Htaccess :
<IfModule mod_headers.c>
Header set Referrer-Policy "origin"
</IfModule>
Still it not overriding strict-origin-when-cross-origin.
Firefox info : https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy


I tried in private browser and it worked !!
<IfModule mod_headers.c>
Header set Referrer-Policy "origin"
</IfModule>

Related

What would cause the caching of server variables?

I am having issues with server variables (like the page URL) being cached so that when you go to a new page, the variable that contains the server URL doesn't actually change.
I am able to fix it in my .htaccess file with this code:
<IfModule mod_headers.c>
Header set Cache-Control "no-cache, no-store, must-revalidate"
Header set Pragma "no-cache"
Header set Expires 0
</IfModule>
<FilesMatch "\.(css|flv|gif|htm|html|ico|jpe|jpeg|jpg|js|mp3|mp4|png|pdf|swf|txt)$">
<IfModule mod_expires.c>
ExpiresActive Off
</IfModule>
<IfModule mod_headers.c>
FileETag None
Header unset ETag
Header unset Pragma
Header unset Cache-Control
Header unset Last-Modified
Header set Pragma "no-cache"
Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate"
Header set Expires "Thu, 1 Jan 1970 00:00:00 GMT"
</IfModule>
</FilesMatch>
So, I know the fix, but I need to know what is causing it because it's a WordPress site (and no, it's not being caused by plugins, I tested with a fresh WP install) and therefore my .htaccess file gets periodically overwritten by WordPress.
So I would like to know how to fix it on the server side, rather than using the .htaccess file. Would it be in the PHP variables? Or apache settings?
I called the webhost (godaddy) and the guy had no idea.
Thanks!

WordPress 5.6 added application passwords.
It wants to add this to .htaccess:
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
I would try:
chmod 600 .htaccess
add_filter('wp_is_application_passwords_available', '__return_false');
Best wishes,
Mitchell

I use wildcard subdomain in opencart2x and have this No Access-Control-Allow-Origin in header

And not understand how fix this problem, web server - apache...
for example:
link.com - all good
sub.link.com - not good, in console error
Font from origin 'link.com' has been blocked from loading by Cross-Origin Resource Sharing policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'sub.link.com' is therefore not allowed access.
i tried add in .htaccess
<IfModule mod_headers.c>
<FilesMatch "\.(svg|ttf|otf|eot|woff|woff2|css)$">
Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Allow-Credentials true
</FilesMatch>
</IfModule>
after this remove and add this
<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin "*"
</IfModule>
and without .htaccess, I tried add in index.php
header("Access-Control-Allow-Origin: *");
BUT NOT WORKING! I think this problem due to because CSS fots files use like
...
src:url('icons/fonts/journal-icons.eot');
src:url('icons/fonts/journal-icons.eot?#iefix') format('embedded-opentype'),
...
but I do not understand what I need to do to fix this problem??? (It looked similar questions but did not help)

There's a very clear error message in the Chrome javascript console:
Font from origin 'http://www.mss.partneris.net' has been blocked from loading
by Cross-Origin Resource Sharing policy: No 'Access-Control-Allow-Origin'
header is present on the requested resource. Origin
'http://www.test.mss.partneris.net' is therefore not allowed access.
Add:
<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin "*"
</IfModule>
to your apache configuration for http://www.mss.partneris.net domain, restart apache, and go to http://www.mss.partneris.net/catalog/view/theme/journal2/css/icons/fonts/journal-icons.woff in your browser or using curl, and see that it has Access-Control-Allow-Origin: * response header. When it does, try again in the browser, and hopefully it will all work well.

setting $_SESSION (php) with remote server using angularJS code not working

I have an api with php implemented for login authenrication:
http://somerestsertver.net/sampleapi/auth-login this sets the login session id (e.g. after verifying user credentials)
http://somerestsertver.net/sampleapi/auth-check this checks the login is valid if the session id is set or not
http://somerestsertver.net/sampleapi/auth-logout and this destroys the session and needed logout ...
I set login with $_SESSION["id"]=1 when auth-login in the code
then auht-check would be ok, otherwise the auth-check would contain errors.
it is ok when I call these urls in browser or a ReST Client,
but using them in my angularJS code returns errors for http://somerestsertver.net/sampleapi/auth-check!
it seems the session set is not available via PHPSESSID in the client and it is not working properly
Is it related to sandbox or CORS or html header requests?

Hi I solved the problem finally this way:
Client side, in angularJS I put this in my route-config to apply for all request to ReST-API
$httpProvider.defaults.withCredentials = true;
I think I should have mainly use in .htaccess for web server:
Header add Access-Control-Allow-Credentials "true"
but for your attention, I updated finally the whole .htaccess file to the following:
Header add Access-Control-Allow-Origin "http://localhost:3000"
Header add Access-Control-Allow-Credentials "true"
Header add Access-Control-Allow-Headers "origin, x-requested-with, content-type"
Header add Access-Control-Allow-Methods "GET, POST"
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [QSA,L]
<FilesMatch "\.php$">
Order Allow,Deny
Deny from all
</FilesMatch>
<FilesMatch "index[0-9]?\.php$">
Order Allow,Deny
Allow from all
</FilesMatch>
also I use the following for JSON response in php:
$response="desired JSON response OBJECT";
$status='OK or unauthenticated or ...' ;
$status='200 or 403 or ...';
header("Content-Type:application/json");
header("HTTP/1.1 $status $status_message");
echo json_encode($response);
exit();
Hope this question and answer helps you

HTTP Response Header is being overwritten. Where all can HTTP Response headers be set in apache?

I have a PHP application where I conditionally set the Access-Control-Allow-Origin header. I see the change reflected on my local setup and on the dev environment, but on the live site, the header is set as something else. The other headers that I set along with it keep their values, so it leads me to believe that the Access-Control-Allow-Origin header is being overwritten somewhere else.
I've checked the .htaccess files in my project and the apache virtual host configuration file for possible places the header could be overwritten. It was being set in the virtual host config file, but I commented it out and restarted apache, but the header is still being overwritten.
Is there any other place that I can check to see if the header is being overwritten?
Thanks in advance for your help!
Here is the requested PHP code snippet:
$origin=$front->getRequest()->getHeader('Origin');
if($origin && (preg_match('/http[s]{0,1}:\/\/' . $front->getRequest()->getHttpHost() . '$/', $origin))){
$front->getResponse()->setHeader('Access-Control-Allow-Origin', $origin);
$front->getResponse()->setHeader('Access-Control-Allow-Credentials', 'true');
}else{
//leave current value if there is no match
$front->getResponse()->setHeader('Access-Control-Allow-Origin', '*');
}
I'm pretty sure the header is being overwritten by something else because I can see the Access-Control-Allow-Credentials:true come through as expected, but Access-Control-Allow-Origin has a value of *.

I did some more digging and found this link to do the same in the .htaccess. I ended up adding the following:
SetEnvIf Origin "^http(s)?://(.+\.)?(www.example.com)$" origin_is=$0
Header set Access-Control-Allow-Origin %{origin_is}e env=origin_is
Header set Access-Control-Allow-Credentials true env=origin_is

You can set header from htaccess:
<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin "*"
</IfModule>
Or from PHP:
header("access-control-allow-origin: *");
You can use:
<IfModule mod_headers.c>
<FilesMatch "\.(ttf|ttc|otf|eot|woff|font.css|css)$">
Header set Access-Control-Allow-Origin "*"
</FilesMatch>
</IfModule>
to apply htaccess header for specified files.

Disable ETags in php?

Our webhoster moved the site to a newer server and now i have the problem that i have ETags everywhere.
I tried FileETag None in the htaccess but that does not work.
They told me on the phone that the ETags are not coming from Apache and that
it is from the new php and that i have to disable them there.
Put i can't find something about php 5 is sending ETags per standard and can't find a setting to disable it in php.ini.
Does somebody know where to disable ETags in php?

Try the following in your .htaccess:
Header unset ETag
FileETag None

This explains how to disable ETags via .htaccess for your Apache-powered website:
# Disable ETags
<IfModule mod_headers.c>
Header unset ETag
</IfModule>
FileETag None
Reference: Disable ETags

Categories