Our webhoster moved the site to a newer server and now i have the problem that i have ETags everywhere.
I tried FileETag None in the htaccess but that does not work.
They told me on the phone that the ETags are not coming from Apache and that
it is from the new php and that i have to disable them there.
Put i can't find something about php 5 is sending ETags per standard and can't find a setting to disable it in php.ini.
Does somebody know where to disable ETags in php?
Try the following in your .htaccess:
Header unset ETag
FileETag None
This explains how to disable ETags via .htaccess for your Apache-powered website:
# Disable ETags
<IfModule mod_headers.c>
Header unset ETag
</IfModule>
FileETag None
Reference: Disable ETags
Related
is there any way to overwrite the header referrer policy using htaccess or PHP?
HTML Code :
<meta name="referrer" content="origin">
Is any way to do same with htaccess or PHP? i tried these code from How to set Firefox referrer to "no-referrer" using PHP Referrer-Policy?
I tried (PHP) :
header("Referrer-Policy: origin");
With Htaccess :
<IfModule mod_headers.c>
Header set Referrer-Policy "origin"
</IfModule>
Still it not overriding strict-origin-when-cross-origin.
Firefox info : https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
I tried in private browser and it worked !!
<IfModule mod_headers.c>
Header set Referrer-Policy "origin"
</IfModule>
I have a PHP application where I conditionally set the Access-Control-Allow-Origin header. I see the change reflected on my local setup and on the dev environment, but on the live site, the header is set as something else. The other headers that I set along with it keep their values, so it leads me to believe that the Access-Control-Allow-Origin header is being overwritten somewhere else.
I've checked the .htaccess files in my project and the apache virtual host configuration file for possible places the header could be overwritten. It was being set in the virtual host config file, but I commented it out and restarted apache, but the header is still being overwritten.
Is there any other place that I can check to see if the header is being overwritten?
Thanks in advance for your help!
Here is the requested PHP code snippet:
$origin=$front->getRequest()->getHeader('Origin');
if($origin && (preg_match('/http[s]{0,1}:\/\/' . $front->getRequest()->getHttpHost() . '$/', $origin))){
$front->getResponse()->setHeader('Access-Control-Allow-Origin', $origin);
$front->getResponse()->setHeader('Access-Control-Allow-Credentials', 'true');
}else{
//leave current value if there is no match
$front->getResponse()->setHeader('Access-Control-Allow-Origin', '*');
}
I'm pretty sure the header is being overwritten by something else because I can see the Access-Control-Allow-Credentials:true come through as expected, but Access-Control-Allow-Origin has a value of *.
I did some more digging and found this link to do the same in the .htaccess. I ended up adding the following:
SetEnvIf Origin "^http(s)?://(.+\.)?(www.example.com)$" origin_is=$0
Header set Access-Control-Allow-Origin %{origin_is}e env=origin_is
Header set Access-Control-Allow-Credentials true env=origin_is
You can set header from htaccess:
<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin "*"
</IfModule>
Or from PHP:
header("access-control-allow-origin: *");
You can use:
<IfModule mod_headers.c>
<FilesMatch "\.(ttf|ttc|otf|eot|woff|font.css|css)$">
Header set Access-Control-Allow-Origin "*"
</FilesMatch>
</IfModule>
to apply htaccess header for specified files.
REF: https://en.wikipedia.org/wiki/Content_delivery_network
A content delivery network or content distribution network is a system of computers where our website is stored so it’s data (images/videos) can be served from multiple locations.
However I dont want to use any online paid/unpaid CDN services but would like to setup CDN on my own high speed server. I did google a lot but dont see any such CDN script which i can install on my server.
I am looking for such script which can support High level cache-control.
Can you please share if you know any good CDN script developed in PHP?
This isn't done in PHP, this done in Apache.
What I've done on my own home server (that's probably what you want) is set up a cookieless sub-domain for serving content, and enable caching and GZip. The following Apache configurations are all located in a .htaccess file in the website directory.
# GZIP compression
SetOutputFilter DEFLATE
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
SetEnvIfNoCase Request_URI \.(eot|ico|gif|jpe?g|php|png|ttf|svg|woff)$ no-gzip dont-vary
# Fonts on a cookieless subdomain
<FilesMatch "\.(eot|ttf|svg|woff)$">
Header set Access-Control-Allow-Origin "*"
</FilesMatch>
# Cookieless Static Content
<FilesMatch "\.(css|eot|ico|gif|jpe?g|js|png|ttf|svg|woff)$">
Header unset Cookie
Header unset Set-Cookie
</FilesMatch>
# Caching
ExpiresActive On
ExpiresDefault A0
<FilesMatch "\.(eot|ico|gif|jpe?g|png|ttf|svg|woff)$">
# 2 year caching for images and stuff
ExpiresDefault A31536000
Header append Cache-Control "public"
</FilesMatch>
<FilesMatch "\.(css|js)$">
# 1 week caching for styles and scripts
ExpiresDefault A604800
Header append Cache-Control "public"
</FilesMatch>
#Other Header Manipulation
FileETag MTime Size
Header unset X-Powered-By
AddDefaultCharset UTF-8
DefaultLanguage en-US
So long as you don't mind caching and GZip on your primary domain (which you shouldn't), just link to your cookieless content using your designated cookielesss sub-domain, and Apache takes care of the rest.
Update
I added a few things I've learned about since posting this answer, such as:
Allowing any domain to link to fonts so that they may be served without cookies.
Setting the ETAG header since it should be set.
A few other header fields that aren't bad to include/get rid of.
However, there's one last security concern to keep in mind if you're using HTTPS, and that is BREACH. To protect against this decryption technique, you can remove gzip compression from any page that displays dynamic content (GZIPping static content like static HTML, CSS, or JS is still ok). To avoid compressing a certain file type (like PHP), add it to the SetEnvIfNoCase directive near the start of this config.
Alternatively, you can keep compression enabled and use the GCM cipher method since the BREACH family of attacks only work on the CBC cipher method. As much as I hate to be "that guy", the manual is really the best reference for this if you want to get into configuring such things. It's a fairly complicated topic and the manual does a good job of explaining the basics.
see I am trying to do some changes in my php, smarty web site. But changes are not reflecting .
this is the .htaccess code . Is there any errror?
# Begin cache control #
ExpiresActive on
<FilesMatch ".*">
Header unset Cache-Control
Header unset Expires
Header unset Last-Modified
FileETag None
Header unset Pragma
</FilesMatch>
# End cache control #
isn't it .htaccess instead of .hntaccess? Sorry but I stall can't make comments!
I am trying to implement GZIP compression for my website. I copied the below code in my .htaccess file:
ExpiresActive On
ExpiresDefault A604800
Header append Cache-Control "public"
<IfModule mod_deflate.c>
<FilesMatch "\.(js|css)$">
SetOutputFilter DEFLATE
</FilesMatch>
</IfModule>
what happens is when I type username and password the page reloads but still the login form is displayed but session is set. When I refresh the page using ctrl + R the login form goes and the username is displayed. what will be the problem. wwaiting for ur reply.
I think it's mod_expires settings, not mod_gzip cause such behavior.
You just told your browser not to reload your page for the the week. It obeys.
I think you have to put expires settings at least inside of FilesMatch container. Or take any other sensible actions according to your real needs.
I guess, its just because of your browser cache, try clearing your browser cache. Or give it a try on different browser to confirm it is a cache issue or not.