Can anyone please teach me how to add security policies in error reply header?
I got this weirdo question is because my Tomcat 9 do reply security policy on normal access(Code 200 I mean), but not on my error reply (404 as example in this case).
So the contracted website inspector listed it as Low Risk and I have been asked to solve this(OH WT...).
I mean, that is a 404?? I don't even know why it needs secuirty policies on header. Can anyone help me or teach me how to talk them out?
Related
I'm creating an app. I have a method that pings my API to see if it's online.
This is done with a HEAD call.
However, HEAD seems to be blocked, I get a 405 response.
I've followed suggestions here: ASP.NET Web API - PUT & DELETE Verbs Not Allowed - IIS 8
but Verbs is set to ALL.
We've also checked
SSL certificate
CORS
Cookies
Access tokens
Strict-Transport-Security
and none of those are the cause.
What else can I do? The API is a Web API 2.0 application, we're using IIS 10
Update 20-11-2021
Issue is still not resolved. We've resorted to GET requests.
I hope someday someone will stand up who can give us clear instructions for IIS 10, including not only the troubleshooting steps to take but also what to look for in the output.
I ran a test and found no vulnerabilities on my site except this warning:
https://www.bragdeal.com/contact/
Unable to scan the page. 409 Conflict
How can I fix it? I've researched online but all I found is the Wordpress CF7 is the cause but no solution.
This kind of error code is common when user sends a PUT request but the server is not able to (or should not) process. This might be the reason in your case as contact page should not allow an user to add file/resource to it, and hence responding with 409 Conflict code.
I am using IIS8 with MVC.NET website built on .net framework 4.5, Here as a part of security fix I am told to have the generic error message for all 403 status codes, This I was able to achieve using httpErrors tags from web.config file using "" entry. But there are some error which are thrown by http.sys which are still showing the system level errors instead of generic error. For example doing a GET request to url "http://abc.xyz.com/login/../../../../../../../admin.txt" is returning "HTTP Error 403. The request URL is forbidden." error while it should return the generic error message which is mentioned in my httpErrors tag.
To my surprise if I stop the website (Not IIS) still I am getting the same error which did confirm that the error is handleded at the low level APIs of IIS and not getting passed down to application layer hence any changes in web.config are not helping to fix this issue.
Could someone please shade some light on how to fix this issue ?
Thanks
Ajay Sawant
I have face a big problem, suddenly my server response "406 Not acceptable" error.
POST not working on my server.
I tried to resolve with more scripts to fix this.
I used .HTACCESS script
<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>
But problem not solve. I can't understand other things, and I tried to contact godaddy, but there are not option to contact them, live chat is very poor, always telling that they have huge traffic.
please can you give some proper solution for this?
The main cause of error 406 error is mod_security rules on the server. Mod_security is a security module in the Apache web server that is enabled by default on all hosting accounts.
If any website, page, or any function violates one of these rules, server may send the 406 Not Acceptable error. Mostly this error triggers when you have any insecurity in your code. You could either resolve the insecurity within your code, or turn mod_security off.Turning mod_security off could open that potentially insecure page up to malicious attacks on your site. So it is better the investigate it and fix your code.
If you have WHM access check your mod security log file. It will show you exact cause what is causing this error. You may find audit logs at
/usr/local/apache/logs/audit_log
and mode security config files at
/usr/local/apache/conf/modsec.conf
/usr/local/apache/conf/modsec.user.conf
We've just set up a new dedicated server at hostgator, running Windows 2008 Server, IIS7 and ColdFusion 8 ENT.
On browsing the homepage, sometimes the site works, sometimes, part of the site runs and I can see a 403 error in Firebug. At other times, I only get an IIS error page saying:
"403 - Forbidden: Access is denied. You do not have permission to view this directory or page using the credentials that you supplied."
The site is http://www.asia-buy.com. It might run first time, but if you refresh it a few times, you'll probably encounter the problem.
There is a lot of ajax and JSON stuff going on under the hood and I'm wondering if that has any bearing on the problem.
Would appreciate advice from anyone who may have solved a similar issue in the past.
Resolved: Hostgator says this is actually a security setting in IIS to attempt to prevent DDOS attacks on the website. A a developer, I use CTRL-F5 a lot. A normal user would not.
Full error:
HTTP Error 403.502 - Forbidden
The IP address from which you are browsing is not permitted to access the requested Web site because it has made too many requests over short period of time.
Open IIS Manager.
Go to your website.
Go to Features/IP Address and Domain Restrictions/Dynamic IP Restriction Settings
Uncheck the boxes, or change the values, as needed