I have turned Content Security Policy on in my App.php config file which works fine across all pages of my site. Except I am running a security scanner which detects that on 404 pages it isn't running.
Is there a setting in Codeigniter 4 I need to turn on so that CSP is enabled on 404 pages?
It turns out if you define your own 404 handler then this problem is automatically resolved.
The solution is to therefore adjust the following in your Config\Routes.php
$routes->set404Override('\App\Controllers\Site::error404');
Then in your controller create a 404 handling function (I called mine error404). However what is strange is you must echo your view and not return it. Not quite sure why but that fixed my problem.
Related
I know CF 10 has a number of issues surrounding 404 handling. This seems to be different from the other reports. Details:
Win2k8 R2/64 and IIS7.5
Upgrading from identical config on separate server. Only difference is CF9 -> CF 10. All works fine on CF9. Adobe CF9 Lockdown implemented on original server, CF10 Lockdown implemented on this server.
missing template handler set in CF Admin as /404.cfm, which should translate to the Cfusion root (c:\ColdFusion10\cfusion\wwwroot).
IIS has been config'd to trace failed 404 requests
IIS 404 handling is default (originally executed a CF URL but removed to simplify debug).
Coldfusion webroot where missing template handler resides is default install location
IIS site root is entirely different: c:\Other\Place\SiteRoot\
A sitewide error handler is also set in CF Admin in the same ColdFusion webroot and works as expected.
404.cfm is very simple:
<cfheader
statuscode="404"
statustext="Not Found">
<h1>404</h1><p>Page not found</p>
<cfoutput>#now()#</cfoutput>
Inputting the bad url [domain]/foo.cfm should display the above template. Instead I get an IIS error screen. The CF missing template handler is ignored. The IIS failed request trace says the url is
http://[mydomain]:80/jakarta/isapi_redirect.dll
and a detail view shows at Step 1
RequestURL="http://[mydomain]:80/foo.cfm
I've seen plenty of issues surrounding CF10 and 404's, but never that the missing template handler assignment is completely ignored. In CF9 this will generate output as expected. Anyone seen anything like this?
EDIT:
I have also tried config'ing this to match a different CF9 server I have running: Added a CF mapping to the web root of the site. Then placed the missing template handler in the web site's root rather than the CF default web root, lastly in cfadmin pointed to the missing template handler in the web site's root using the mapped folder. Same problem. Works fine in CF9 and not at all using CF10.
EDIT2:
As Miguel F pointed out in the comments, you can shut off HTML error codes in CF Admin and this will let the Missing Template Handler fire... BUT you get a 200 header to go with it. Apparently cfheader statements are ignored as I have tried placing the cfheader at the beginning and end of the template... still yields a 200. Visually fine but insofar as SEO is concerned thats a disaster. Just looked and my CF9 servers do not require this setting to be unchecked for their handlers to work.
EDIT3
Dana Kowalski's solution displays detailed IIS errors to the public, so for a 404 on, say, a made-up extension (foo.xyz), the screen will show file paths. Default behavior is to NOT display detailed errors except when running templates locally, and display custom error pages to visitors. The CF error template should work fine with that setting.
POSSIBLE SOLUTION
I stepped back to ColdFusion 9 as part of debugging this problem, and may have discovered the solution while debugging a separate related issue.
In the IIS Manager, click on the site in question. Select the Error Pages option. Select the 'Edit Feature Settings' link on the right side. Check that the 'Detailed Errors' option is selected.
If you have either of the other two selected, there are times IIS 7.x will take over and not let ColdFusion handle it.
My site was working fine for the last couple of months and suddenly stopped working. and the issue was backend was working fine but the front end does not load at all.
then I contacted server providers they saying they have not done any changes to the server and asking me to contact Joomla support to see any in-depth errors. they even said they cant find any issues from the logs.
Then what I did was I reinstall VirtueMart (mind you this is an e-commerce site). then it started to work again from the front end. but I realize follow on pages aren't working. so what I did was I remove url re-writing and change the .htaccess code to txt.
so the issue I am having now is I can see index.php file in the URL. but whenever I try to change use url rewriting and enable .htaccess I get this error
Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator, webmaster#domain.au and inform them of the time the error occurred, and anything you might have done that may have caused the error.
Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.
anyone have any ideas?
Suddenly stopped working, without any change from your end ?
Try to step backward and recall anything you did before the issues.
The virtuemart re-installation should not have any relation with the SEF settings and the htaccess.
All these seem to be a combination of different issues.
Have you made any changes on the htaccess file ?
Go in Joomla Global configuration and disable SEF settings. Set URL rewriting to No. Then try to load pages in the front-end.
If you need SEF URLs, follow these instructions about how to enable this feature in Joomla:
http://docs.joomla.org/Enabling_Search_Engine_Friendly_(SEF)_URLs
I have an umbraco 4 site that I have put a google sitemap onto. This all works fine locally but on the live server I am getting an IIS 404 error (not the umbraco 404 error) - see this link.
However if I preview the node it works fine
I have googled why I would get a 404 and so far I have come up with the following causes which I have checked and can rule out as the cause:
the template is not assigned
there are multiple nodes with the same url
Would anyone know what is causing this problem or how I could fix it?
Update
I have deleted the preview node now as I recreated the node in a different place and it worked. Would still like any thoughts on why I would get a 404 though, just in case a similar thing happens in future
Unfortunately both your links are going to the IIS error page as well as all the other errors on the site so we cant tell what you sitemap should be, see this link for tips on how to set up the 404 page http://www.simonantony.net/knowledge-base/articles/how-to-setup-a-404-error-page-on-your-umbraco-site/ .
Make sure that's working across the whole site then with you Google site map is it an XML sitemap or HTML sitemap and how have you implemented it did you use a package or made it you self.
I'm trying to return a custom 404 page using IIS6. (I have a site that is mostly .shtml pages built using movable type). I have tried it 2 ways:
1) set the 404 error handler in IIS to be type "file" with the path \404.html. This works, but it also means that I can't import the header and footer of my site (hence the .shtml) Trying to point the 404 error handler to 404.shtml results in the default 404 page...i guess IIS can't process shtml files in the 404.
2) set the type to "URL". This works great, except that the response code is no longer 404! Its a 200.
How can I get IIS to respond with a 404 response code with the content of my 404.shtml file?
Given that it's IIS, adding
<% Response.Status = "404 Not Found" %>
to the top of 404.shtml should change the response code to 404.
I am not on a windows machine so I am unable to test it at the moment to verify.
Update:
I was finally able to run a few tests on a IIS 6. As you mentioned in a comment to my post, an .shtml file does not allow script commands to run. So there are at least two ways to work around this:
Instead of naming your custom 404 handling page 404.shtml, name it 404.asp. The user should never see the actual name of the page so it shouldn't cause any issues. Note that "Active Server Pages" must be set to 'Allowed' in the Web Service Extensions folder of IIS.
Modify the page extension mapping for .shtml to use asp.dll instead of ssinc.dll. You can do this from IIS by selecting the website and viewing Properties -> Home Directory tab -> Configuration -> Mappings tab. Note that this is far from an ideal solution because now all your .shtml files will be processed by asp.dll. This could cause your pages to render more slowly (assuming asp.dll processes files more slowly than ssinc.dll due to greater complexity) and violates the principle of least privilege.
If neither of the options fit your situation, then it may still be possible but the solution isn't immediately obvious to me.
In IIS Manager, open the Properties of your Web site (or virtual dir) and go to the Custom Errors tab. There you can set which file is sent in case of each error code, including 404.
Is there any means to track where within code a 404 error is handled?
We have a site that we have taken over that doesn't seem to be reacting as expected.
We have changed the IIS custom errors page to point to the new page we would like but something seems to still be redirecting it to the old 404.htm file in the root of this site. We have not been able to track down where or why this happens.
Any suggestions on how we might find the referring logic?