In my project, HSTS is enabled. So if someone is tryig to use the site using the HTTP then it redirects to HTTPS.
After the Security scan, it is reported that ttf, woff and woff2 files are ignoring the HSTS.
Example 1:
On Google Crome if i am trying below URL then it redirects to HTTPS:
http://example.com/backend/web/lib/roboto/Roboto-Light.woff2 then it
redirects to
https://example.com/backend/web/lib/roboto/Roboto-Light.woff2
If i try same thing on Firefox then it just downloads the Roboto-Light.woff2 file over HTTP instead of redirecting to HTTPS.
Example 2:
If i am trying below URL on both google Chrome and Firefox it just downloads the file.
http://example.com/backend/web/lib/roboto/Roboto-Black.ttf
So what should i do to fix this issue?
Update
Network log after accessing the below URL:
http://example.com/backend/web/lib/roboto/Roboto-Black.ttf
It seems that first file is being loaded by visiting the HTTP URL. But the https one not being updated in Address Bar of browser but not sure.
VHOST Settings
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
ServerName example.com
RewriteEngine on
RewriteCond %{HTTP:X-Forwarded-Proto} ^http$
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
#RewriteCond %{HTTPS} !=on
#RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS)
RewriteRule .* - [F]
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
You need to go back and ask the security scan people why they think this is the case.
You are clearly showing that HSTS is being set for the font files.
You area also showing that you are correctly showing the 307 internal redirect for HSTS reasons.
This is the way it's supposed to work. You get two requests in Chrome's network tab (other browsers may be different):
A fake 307 response which upgrades the request from HTTP to HTTPS. This is created by the browser and the HTTP request never reaches the server. Hence why I am calling it a "fake" resonse.
The real request sent over HTTPS.
As fonts are downloaded it's difficult to tell that this was downloaded over HTTPS except by looking in the network tab - but that's fine.
If i try same thing on Firefox then it just downloads the Roboto-Light.woff2 file over HTTP instead of redirecting to HTTPS.
How do you know this? Are you sure you have visited the site over HTTPS to get the HSTS header? The first request may well be over HTTP (though you have a standard redirect in place so this should redirect to HTTPS and then download), but after that it should auto redirect BEFORE the request is sent.
If i am trying below URL on both google Chrome and Firefox it just downloads the file.
It probably does. But after a redirect.
It seems that first file is being loaded by visiting the HTTP URL. But the https one not being updated in Address Bar of browser but not sure.
No, as discussed the first one is a dummy request. The second is the real request which is actually sent to the browser. As the font file is downloaded immediately it doesn't do anything with the URL bar.
Related
I have htaccess allowing access through a link to a Wordpress site (siteA.com) only through one specific URL (siteB.com) and denying all others.
This does it for me...
RewriteEngine on
RewriteCond %{HTTP_REFERER} ^http?://siteA.com/
RewriteRule ^ - [L]
RewriteRule ^ - [F]
ErrorDocument 403 /forbidden.html
BUT it doesn't load siteB.com stylesheet.
I'm looking for a htaccess rule that would allow me to access a site if only accessed through a specific link. Security here is not an issue.
TL;DR; While you can try playing around with htaccess, there is no reliable way to do what you want.
The simple answer is that request to stylesheet has your main page as the referrer. To see this, navigate to your site, open Dev Tools (F12 in Chrome), then switch to Networks tab, select your CSS and look at request headers.
For example, the page for this question has this URL:
http://stackoverflow.com/questions/40220527/htaccess-allow-only-specific-url-doesnt-load-its-css
And the request for CSS has this in its headers:
Referer: http://stackoverflow.com/questions/40220527/htaccess-allow-only-specific-url-doesnt-load-its-css
Overal, it's a very, very bad idea to filter based on the Referer or any request header for that matter, as they are very easily spoofed.
I currently have a website that allows users to create profiles and add their own custom domains, effectively masking their domains.
I've just enabled HTTPS on my main domain and now when I'm accessing their full domains (theirdomain.com) through HTTPS, it says: The identity of this website has not been verified. Server's certificate does not match the URL.
When checking to see if HTTPS is on $_SERVER['HTTPS'] it doesn't show that HTTP is on, which is correct because HTTPS isn't working--although the URL has been accessed through HTTPS.
Is it possible to just redirect all HTTPS requests to HTTP for every domain but my own (maindomain.com)
Either via PHP or HTACCESS, or through Apache?
Is it possible to just redirect all HTTPS requests to HTTP for every domain but my own
Try adding this to the .htaccess file in your web document root folder (often public_html or htdocs):
RewriteEngine On
%{HTTPS} on
%{HTTP_HOST} !^(?:www\.)?maindomain\.com
RewriteRule ^ http://%{HTTP_HOST}%{REQUEST_URI} [R=302,L,NE]
Once you are satisfied that the redirect works, you can change the 302 to 301 to make it permanent.
This assumes that mod_rewrite is both installed and activated for htaccess files.
If you are not sure, to check if mod_rewrite is installed, look at the list of installed modules in the output of phpinfo();
By default, mod_rewrite is not enabled for htaccess files. If you are managing your own server, open httpd.conf
and make sure that the webroot directory block contains one of these lines: AllowOverride FileInfo or AllowOverride All
I have a file that I don't want users to be able to navigate to on their own accord. However, if they click a link that sends them there, it's okay for the page to work. I currently have my htaccess file set up like so.
<Files "success.php">
Order Allow,Deny
Deny from all
</Files>
success.php is the name of the file, and in the directory of the success.php, I have the following in a htaccess file:
RewriteRule /?\.htaccess$ - [F,L]
RewriteRule ^/?admin/paypal/success\.php$ - [F,L]
Will users still be able to get to success.php if they're directed there, because I know you're shown a 403 error if you just try to navigate there.
If it is the case that they will be blocked from being directed there, is there a way I can fix this?
When I type a URL to "success.php" in my browser's location bar and hit enter, my browser sends a request for success.php.
When I go to your website and click on a link that takes me to "success.php", my browser sends a request for success.php.
It's exactly the same, just because I click on a link on your site vs typing it in my browser, both are requested exactly the same. So when you deny access, you deny all access. What you need to check for the is "Referer" header, which browsers can (optionally) include in a request to let the webserver know what URL it just came from. Referers can be easily forged or sometimes omitted, so checking the referer isn't a guarantee.
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^https?://example.com/ [NC]
RewriteRule ^admin/paypal/success\.php$ - [F,L]
So if someone loads any page on the "example.com" site (e.g. your site) and then clicks on a link that goes to the success.php page, they'll be fine. Any other access from anywhere else will be 403.
Is it possible to restrict a domain to only allow visitors using a specific browser?
I'm building an app and it's only been tested in Chrome so far so I only want to allow Chrome users during Beta testing. Basically, I want to white-list browsers as I go through testing. Any suggestions on the approach I should would be greatly appreciated.
Yes you can.
The browser that is accessing the page is in the _SERVER array.
If you find that the accessing browser is not Chrome, then just send a 404 header.
You can block all other useragents with a relevant error message using .htaccess
Put this in .htaccess in root of your site:
ErrorDocument 503 "Your must use Chrome to access this site"
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^(Mozilla.*|Safari.*|Other.*)$ [NC]
RewriteRule .* - [R=503,L]
With Apache and PHP, what's the best way to know it, and to force using HTTPS?
I searched in phpinFO() for $_SERVER variables and found nothing that could help.
Edit: thanks for answers and suggestions! I can't force it on server level because it's only for login page.
$_SERVER['HTTPS'] is non-empty if HTTPS was used. But you'd be better off doing the HTTPS enforcement at the webserver level, e.g.
<virtualhost example.com:80>
redirect permanent https://example.com
</virtualhost>
<virtualhost example.com:443>
blah blah blah
</virtualhost>
In an .htaccess file, add the following:
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://YOUR_URL/$1 [R,L]
</IfModule>
Also, consider adding the HSTS HTTP header. This tells browsers to not even try to visit the HTTP version, and to go directly to HTTPS. This prevents a possible man-in-the middle attack, where your redirect could be intercepted.
(Provided the user has visited the site before, or your website is added to the builtin HSTS list.)
See http://dev.chromium.org/sts for how to get added to the builtin list, and an example of what the header looks like.
The only right answer is because you configured your server to behave that way.
If you don't know, with absolute confidence, by the time a request is sent to PHP whether it has been sent via HTTP or HTTPS then your system is not secure.