I have a wordpress site running which is set to use HTTPS, Within the wordpress site I have a widget in a theme that is using the Slim framework. When running on HTTP it does work well but with HTTPS I do get 404 error. The ajax calls are initiated from the browser and request sources that are on the same domain.
Browser log says: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://xxxxxxxx.xxx' is therefore not allowed access. The response had HTTP status code 404.
Within the app only relative path is used. Within the html source I see some HTTP requests for images etc. but it doesn't complain about them
For your ajax urls make sure that they start with https:// or just //
Related
We have a client that hosts their IIS web server on AWS. When navigating to a particular PHP web application on this server, it works when there is a slash on the end, but not when it is absent.
this works:
https://example.com.au/application/
However, if one were to enter this into the address bar:
https://example.com.au/application
it redirects to the equivalent http address with a slash on the end:
http://example.com.au/application/
http is disabled via the firewall, so the result is an error.
Here is the request details in Chrome debugger
So my question is, what does my client need to check to ensure this redirect does not occur? or that instead of redirecting to HTTP, it redirects to HTTPS?
Additional info:
This same issue does not seem to occur with .NET web applications. Eg 'https://example.com.au/dotnetapp' will not redirect to 'http://example.com.au/dotnetapp/'.
There are no rules configured in "URL rewrite"
IIS logs show requests when the HTTPS url is triggered, but not the HTTP one.
Edit: This seems to be due to browser caching. After disabling browser caching, i can see the 301 entry in the log files.
'index.php' is set as a default document
One possible reason is that the PHP project doesn't know that the secure connection is active and so it's redirecting the page to the http version when adding the slash.
PHP application can detect the secure connection by the $_SERVER['SERVER_PORT'], $_SERVER['REQUEST_SCHEME']. But if the application is behind some reverse proxy (e.g. Varnish or Amazon’s Elastic Load Balancer), the connection to the PHP application is probably not secured. PHP should be informed about the original secure connection with X-Forwarded-* headers.
Please check if the PHP has these variables set:
$_SERVER['HTTP_X_FORWARDED_PROTO']: should be https,
$_SERVER['HTTP_X_FORWARDED_PORT']: should be 443.
Symfony framework
If the application is using the framework, e.g. Symfony, it should be configured to trust the IP of the reverse proxy and to trust also these headers:
# config/packages/framework.yaml
framework:
# ...
# the IP address (or range) of your proxy
trusted_proxies: '192.0.0.1,10.0.0.0/8'
# trust *all* "X-Forwarded-*" headers
trusted_headers: ['x-forwarded-for', 'x-forwarded-host', 'x-forwarded-proto', 'x-forwarded-port']
# or, if your proxy instead uses the "Forwarded" header
trusted_headers: ['forwarded']
See https://symfony.com/doc/current/deployment/proxies.html for more details and https://symfony.com/doc/current/deployment/proxies.html#but-what-if-the-ip-of-my-reverse-proxy-changes-constantly for more detaiils if the IP address of reverse proxy server changes.
Looks like you are setting location header in the 'index.php' file and so browser is redirecting to the http url.
If the index.php has code like below, replace the http to https and to the correct URL
header("location:http://example.com.au/application/");
Updated :
Also check your folder to see if any other files are redirecting.
Please make sure the index.php is listed as the first in the default document list and none of the other files contain redirect code.
You can search for "meta http-equiv="refresh" http tags in all the files in folder to see if they are redirecting.
I'm running a new site on Google App Engine with a custom domain and I want to require all traffic to come through via https.
I created a test script at http://rublonde.com/tmp:
<?
header("Strict-Transport-Security: max-age=180; includeSubdomains");
print $_SERVER['HTTP_X_FORWARDED_PROTO'];
(The content of the site doesn't really match the domain name, I'm just temporarily using this domain as a custom domain so I can get the HTTPS header thing working.)
In Google App Engine, the HTTP_X_FORWARDED_PROTO will be either http or https. On the first load of this page, I assumed it would get the the HSTS header and then on subsequent loads of the page, Chrome should automatically be requesting the page via https.
Am I misunderstanding how HSTS works? Am I doing something wrong?
Ah, I realized that HSTS headers are ignored when sent over an http connection (I think because they need to be associated with a valid certificate that comes with the https connection).
https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security#HSTS_mechanism_overview
A server implements an HSTS policy by supplying a header over an HTTPS
connection (HSTS headers over HTTP are ignored).
I ran a quiz website which is based on PHP-Codeigniter, recently I have added an SSL certificate. I have changed the base_url to start with https, everything was ok unless I started creating a quiz for that js need to do some function but all browser is blocking it.
Error detail:
Mixed Content: The page at 'https://website.com/quiz/index.php/quiz/add_new' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://website.com/quiz/index.php/qbank/get_level_question/0/2'. This request has been blocked; the content must be served over HTTPS.
send # jquery.js:2
jquery.js:2
Note: I can't access the link http link directly to change it to https.
I don't know much about servers/php. I access by website via Cpanel. I can copy and paste codes:)
I am trying to load a script on a WordPress HTTP site using PHP. The script itself is on another site, and is only accessible through HTTPS. I am loading the script using the line:
wp_enqueue_script('airtable_embed', 'https://static.airtable.com/js/embed/airtable_embed.js');
However, when the page loads, the https in the url is always replaced by http, and the script is not available through HTTP - only HTTPS. Since it can't find the HTTP version, it gives the following error:
http://static.airtable.com/js/embed/airtable_embed.js?ver=4.3.1
Failed to load resource: the server responded with a status of 403 (Forbidden)
The WordPress documentation says that
Remote scripts can be specified with a protocol-agnostic URL, e.g. //otherdomain.com/js/their-script.js.
So, I think the reason the protocol is being changed from HTTPS to HTTP is that WordPress forces it to use the same protocol as the current site. How can I get around this and include the HTTPS script in my HTTP site?
If you paste the airtable embed snippet into an HTML page and then inspect the DOM, you can just grab the raw HTML for your wordpress site.
In my application I am setting the Location header to http://www.foo.com inside a route that responds to a POST request over HTTPS. I keep getting redirected to https://www.foo.com instead of the plain HTTP version. If you handle a POST over HTTPS will all redirects be forced over HTTPS as well?
This is on an Apache server running PHP 5.3.