i have had a search around but haven't been able to find a similar problem.
When i add the following to my htaccess file (i want to restrict upload types to my server)
ForceType application/octet-stream
Header set Content-Disposition attachment
<FilesMatch "(?i)\.(doc?x|txt|xls?x|csv|pdf|ppt?x|zip|gif|jpe?g|png)$">
ForceType none
Header unset Content-Disposition
</FilesMatch>
Header set X-Content-Type-Options nosniff
I then refresh my page it then opens the download dialog box instead of showing the php page. I though it might be the deflate mod compressing the htaccess onto 1 line but im not so sure now.
could anyone point me in the right direction?
Thanks
Thanks to the comments above i have sorted the problem. it was my mistake
Related
I am looking for a way to implement cache control & expire headers to my images/css/js files. I looked for tutorials & only found ways to add cache control using file extensions. The code below is the one got from http://betterexplained.com/
<FilesMatch "\.(jpg|jpeg|png|gif)$">
Header set Cache-Control "max-age=604800, public"
</FilesMatch>
This sets all the images of the mentioned extensions to be cached for one week. However I don't want all the images to be cached, because there are some images that are upload by the users. I only want my static images eg: logo, icons used for buttons to be cached. It would be great if someone could point out a way or a tutorial on how this could be achieved.
or again you could just move the htaccess file in the folder that will be cached and save the user image in another :D
You can change the FilesMatch filter to include a part of a path. I assume the user images are in another directory than your static images.
i.e.
<FilesMatch "^/staticdir/.+\.(jpg|jpeg|png|gif)$">
Header set Cache-Control "max-age=604800, public"
</FilesMatch>
You can make your regex more restricitive by including only only know images for caching:
<FilesMatch "(logo|icon|favicon|header)\.(ico|jpe?g|png|gif)$">
Header set Cache-Control "max-age=604800, public"
</FilesMatch>
Rightio...I am about to add an image upload to my site. After reading some security blogs I have added the following to my htaccess file.
ForceType application/octet-stream
<FilesMatch "(?i)\.jpe?g$">
ForceType image/jpeg
</FilesMatch>
<FilesMatch "(?i)\.gif$">
ForceType image/gif
</FilesMatch>
<FilesMatch "(?i)\.png$">
ForceType image/png
</FilesMatch>
When I browse to a PHP page it downloads the file.php instead of showing the page in the browser.
Any ideas would be much appreciated.
I am working on MAMP locally.
Many thanks
Lewis
When I browse to a PHP page it downloads the file.php instead of showing the page in the browser
That's because you have this line:
ForceType application/octet-stream
by itself, without any condition. That means, everything should have the mime-type application/octet-stream, which browsers see and understand as binary content that should be downloaded. Not sure how this is a security improvement as it makes it so your entire site can be downloaded and viewed as code, as opposed to any dynamically generated content.
You have to put that .htaccess code in a directory that only has image files. If you don't have your images in their own directory, create a directory for them and put them there (and update any links to them).
I'm serving images two different ways:
Using a PHP script for profile pictures for example
By pointing to them directly, for icons and backgrounds for example
I'm in the process of handling their caching properly, and i'm totally new to this.
For the PHP script, i'm just adding a Last-Modified header to the response, and delivering a 304 status code if it's called again, if the file hasn't changed (using filemtime()).
For direct accesses, i'm using HTACCESS, but every rule i saw so far doesn't allow me to do the same as in my PHP script (checking if the file has changed, then serving a 304 or the file itself).
Here's the HTACCESS rule i'm planning to use:
Header unset Pragma
FileETag None
Header unset ETag
# cache images/pdf docs for 10 days
<FilesMatch "\.(ico|pdf|jpg|jpeg|png|gif)$">
Header set Cache-Control "max-age=864000, public, must-revalidate"
Header unset Last-Modified
</FilesMatch>
From what i understand, the only way of updating a cached image is to rename it. Does someone know a way around it? By checking the image's last modification date for instance?
You could use mod_expires, if available:
<FilesMatch "\.(ico|pdf|jpg|jpeg|png|gif)$">
ExpiresDefault "modification plus 10 days"
</FilesMatch>
What you are doing with PHP should do apache automatically for static files. It will set the Last-Modified header and respond with 304 if it will find if-Modified-since in the request. This is done automatically and has nothing to do with caching. It will not prevent repeated requests to your server, it will just save you bandwidth (and loading times for user) when the file is not modified by returning just 304 info instead of the whole file.
To prevent those repeated requests to your server, browser (and proxy servers) has to do some caching. You can control the caching either via HTTP headers or for HTML also via META tags. When you specify that the file is cacheable for 1 week, browser won't try to contact your server for 1 week (although most browsers are set to revalidate cache entries on first access after startup).
So you will either live with the possibility that some users will use old cached copy for some time (depends on the expiry header) or you must change your URL as Gerben suggested. Only then you can be 100% sure that everyone will get the new version (this is important for javascript as having some of the js files old and some new can make very strange errors). Nowadays almost every high performance website uses the file.ext?v=3 approach, so that they can set the expiry header to large values like 6 months.
As #Gumbo pointed out, "Apache should already do that for static files".
And that's true, Apache does that, so that kind of stuff works fine:
<FilesMatch "\.(ico|pdf|jpg|jpeg|png|gif)$">
Header set Cache-Control "max-age=864000, public, must-revalidate"
</FilesMatch>
ps: Sorry #Gumbo, but i asked you to change your answer so that i can accept it, but you wouldnt do it and i had to close that question eventually, so.
I'm using a .htaccess file to make links to JPEGs download instead of opening in the browser window.
This is what I'm using:
AddType application/octet-stream .jpg
It's working fine in Safari and Firefox on Mac OSX but not on IE 8 on Windows.
Is there any way around this apart from writing a header in PHP which I would rather not do?
I think Internet Explorer does also expect Content-Disposition: attachment for downloads. If you have mod_headers available, you can do this:
<FilesMatch "\.jpg$">
Header set Content-Disposition attachment
Header set Content-Type application/octet-stream
</FilesMatch>
I found some tutorials which use another method that should work for you:
Here
and Here
Add header("Content-disposition: attachment; filename=..."); in PHP
I am trying to implement GZIP compression for my website. I copied the below code in my .htaccess file:
ExpiresActive On
ExpiresDefault A604800
Header append Cache-Control "public"
<IfModule mod_deflate.c>
<FilesMatch "\.(js|css)$">
SetOutputFilter DEFLATE
</FilesMatch>
</IfModule>
what happens is when I type username and password the page reloads but still the login form is displayed but session is set. When I refresh the page using ctrl + R the login form goes and the username is displayed. what will be the problem. wwaiting for ur reply.
I think it's mod_expires settings, not mod_gzip cause such behavior.
You just told your browser not to reload your page for the the week. It obeys.
I think you have to put expires settings at least inside of FilesMatch container. Or take any other sensible actions according to your real needs.
I guess, its just because of your browser cache, try clearing your browser cache. Or give it a try on different browser to confirm it is a cache issue or not.