For some reason this new host isn't setting htaccess headers, I use 1and1. previously on 000webhost it worked fine.
Is there maybe a difference in apache versions?
This is my htaccess
Header set X-Frame-Options DENY
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options "nosniff"
Header set Content-Security-Policy "script-src 'self' //ajax.googleapis.com"
The .htaccess file only works if it's behind the directory that I use for my website.
e.g.
htdocs/.htaccess
htdocs/folder1/index.php
will now correctly set HTTP headers on 1and1.
Related
I am seeing this error via Google inspect on my Wordpress website.
Access to XMLHttpRequest at (ad lines I have removed) from origin
'https://www.awakenthegreatnesswithin.com' has been blocked by CORS
policy: No 'Access-Control-Allow-Origin' header is present on the
requested resource.
I saw this last week. I added this to the .htaccess file in the root of the domain:
<IfModule mod_headers.c>
# Make sure proxies don't deliver the wrong content
Header append Vary User-Agent env=!dont-vary
Header set Cross-Origin-Embedder-Policy "unsafe-none"
Header set Cross-Origin-Opener-Policy "unsafe-none"
Header set Cross-Origin-Resource-Policy "cross-origin"
Header set X-Download-Options "noopen"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-XSS-Protection "1; mode=block"
</IfModule>
I also added this to .htaccess in the public_html
<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin: *
</IfModule>
Last week the Ads on my site were not showing great but now I would say 90% usually show, sometimes 100% but I still see the error via Google inspect even though the Ads are showing
Can someone help me to understand what caused this? As I have never had any problems like this before, and what can I do to get rid of this error message?
Is this something I need to fix on my end? Or my Ad Network need to adjust something on their end?
Thank you
Updated PHP to (8+) was the only major change
How can I add the following security headers to my website?
X-Frame-Options - Protects against Clickjacking attacks
X-XSS-Protection - Mitigates Cross-Site Scripting (XSS) attacks
X-Content-Type-Options - Prevents possible phishing or XSS attacks
Two ways you can add these headers:
Apache Conf or .htaccess File
<IfModule mod_headers.c>
Header set X-Frame-Options "DENY"
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options "nosniff"
</IfModule>
The Apache/htaccess approach is most likely the preferred way. If you add it to your configuration file, which may be in your httpd.conf or it could be in a vhost configuration file (really depends on how the server is setup), you would place it within a <Directory> element. To use .htaccess the configuration for the site must have AllowOverride All. While it's pretty standard, you must have the mod_headers library installed in Apache as well.
PHP
header('X-Frame-Options: DENY');
header('X-XSS-Protection: 1; mode=block');
header('X-Content-Type-Options: nosniff');
With the PHP approach, you will need to write this to every response, so if you do not have a bootstrap that can do this, I'd recommend leveraging either your apache configuration file or the .htaccess file.
I make my website from scratch with PHP. In order to optimize performance, loading time and security I use a lot of online tools : google page speed insight, gtmetrix, dareboost.com, webpagetest etc...
Dareboost.com advises me to set headers in my .htaccess file like :
Content-Security-Policy
X-FRAME-OPTIONS
X-XSS-Protection
X-Content-Type-Options
I did :
Header set Content-Security-Policy "default-src 'self'; script-src 'self' www.googletagmanager.com ;"
Header always set X-FRAME-OPTIONS "DENY"
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Content-Type-Options "nosniff"
It seems to be a little bit inefficient : when I look into my waterfall timeline I see that all my assets (CSS, JS, fonts, IMG) use those directives but not my first GET request (on www.mydomain.com).
Why ? Due to that, Dareboost doesn't understand that I set properly my headers.
I have a PHP application where I conditionally set the Access-Control-Allow-Origin header. I see the change reflected on my local setup and on the dev environment, but on the live site, the header is set as something else. The other headers that I set along with it keep their values, so it leads me to believe that the Access-Control-Allow-Origin header is being overwritten somewhere else.
I've checked the .htaccess files in my project and the apache virtual host configuration file for possible places the header could be overwritten. It was being set in the virtual host config file, but I commented it out and restarted apache, but the header is still being overwritten.
Is there any other place that I can check to see if the header is being overwritten?
Thanks in advance for your help!
Here is the requested PHP code snippet:
$origin=$front->getRequest()->getHeader('Origin');
if($origin && (preg_match('/http[s]{0,1}:\/\/' . $front->getRequest()->getHttpHost() . '$/', $origin))){
$front->getResponse()->setHeader('Access-Control-Allow-Origin', $origin);
$front->getResponse()->setHeader('Access-Control-Allow-Credentials', 'true');
}else{
//leave current value if there is no match
$front->getResponse()->setHeader('Access-Control-Allow-Origin', '*');
}
I'm pretty sure the header is being overwritten by something else because I can see the Access-Control-Allow-Credentials:true come through as expected, but Access-Control-Allow-Origin has a value of *.
I did some more digging and found this link to do the same in the .htaccess. I ended up adding the following:
SetEnvIf Origin "^http(s)?://(.+\.)?(www.example.com)$" origin_is=$0
Header set Access-Control-Allow-Origin %{origin_is}e env=origin_is
Header set Access-Control-Allow-Credentials true env=origin_is
You can set header from htaccess:
<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin "*"
</IfModule>
Or from PHP:
header("access-control-allow-origin: *");
You can use:
<IfModule mod_headers.c>
<FilesMatch "\.(ttf|ttc|otf|eot|woff|font.css|css)$">
Header set Access-Control-Allow-Origin "*"
</FilesMatch>
</IfModule>
to apply htaccess header for specified files.
I'm using a security scanning tool to check for vulnerabilities of my web application.
One of the results was a low warning about X-Content-Type-Options header being missing.
After some digging around, I found this post on setting apache to emit nosniff headers and I put this code in to httpd.conf file;
<IfModule mod_headers.c>
Header unset ETag
Header set X-Frame-Options: deny
Header set X-XSS-Protection: "1; mode=block"
Header set X-Content-Type-Options: nosniff
Header set X-WebKit-CSP: "default-src 'self'"
Header set X-Permitted-Cross-Domain-Policies: "master-only"
</IfModule>
And it worked! But then, my security scanning tool discovered that the 404 Not Found page on my web server was still giving me this warning. I'm guessing that the 404 error page is set to ignore the above rule somehow..
Can someone explain to me how to change this code or suggest an alternative so that error pages are included?
Could someone also maybe explain what the code above is doing? I don't actually know what IfModule or mod_headers.c actually means. Maybe that's why I'm having trouble in the first place.