X-Frame-Options: .htaccess vs httpd.conf - .htaccess

In httpd.conf (Unix / Mac OS Sierra) I've got "Header set X-Frame-Options SAMEORIGIN"
I'd like to override that for a specific directory to
X-Frame-Options ALLOW-FROM SpecificDomain.com
Goal is to allow iframe acess to that directory but no others.
I tried adding the ALLOW-FROM line to an .htaccess file in the target directory but no luck. iFrame is denied, browser console saying "X-Frame-Options" are set to "SAMEORIGIN"

There are compatibility issues with some browsers with the Allow-From parameter for X-Frame-Options response header, chances are you are dealing with a browser which does not support it.
Ideally try this command to see the headers output and make sure the setting you made is being used:
curl -I http://yourserver.example.com/exceptionpath/
If it is, instead of setting that other header you may also want to unset that header in that directory to avoid compatibility issues with that parameter:
Header unset X-Frame-Options
or if the above is not being applied:
Header always unset X-Frame-Options
Sidenote: If you are the admin of the site you don't need to use .htaccess if you have access to main configuration files, set in the appropiate Directory entry instead. Disable .htaccess files altogether with AllowOverride none. Configurations will be simpler and you will gain a bit of performance by not forcing httpd to constantly read that file several times with each hit.

Related

allow wget & php deny from rest

SetEnvIf User-Agent .*Wget* wget
Order deny,allow<br>
Deny from all<br>
Allow from env=wget
ErrorDocument 403 /403.shtml
So I am currently using the above lines of text inside my htaccess file, and it works perfectly. The problem is I need to allow access to a mailer.php file that is also listed in that directory.
Is there a way i can allow access to just this file and use the above code yet to block out the rest?
And if it matters, the phpfile writes to a file inside that directory... it is called rc3.key (not sure if that is important but i think it could be)
Just add the following:
<Files "mailer.php">
Allow from all
</Files>
This will allow everyone to access mailer.php but will throw a 403 error for every other file.

Cross-Origin Resource Sharing policy Font

I am using W3 Total Cache with Amazon cloudfront. I have in my htaccess file:
# BEGIN W3TC CDN
<FilesMatch "\.(ttf|ttc|otf|eot|woff|font.css)$">
<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin "*"
</IfModule>
</FilesMatch>
# END W3TC CDN
But still getting error:
Font from origin 'https://example.cloudfront.net' has been blocked from loading by Cross-Origin Resource Sharing policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://www.example.com' is therefore not allowed access.
Why is this happening?
Found the solution in this link: https://www.naschenweng.info/2014/09/23/wordpress-w3-total-cache-cloudfront-font-cors-issue/.
You need to change the CloudFront distribution's behaviors settings:
Change “Forward Headers” from “None” to “Whitelist”
Add “Origin” to the “Whitelist Headers”
Make sure that “Use Origin Cache Headers” is checked
Then invalidate the cached fonts.
Wrestling with this for days, and think I finally fixed it. Here are some things to check:
The webserver config should add the proper header. Apache syntax is listed in the question. Here's Nginx syntax that I used:
location ~* \.(eot|ttf|woff|woff2)$ {
add_header Access-Control-Allow-Origin '*';
}
Within W3TC > Performance > CDN > Custom File List, I added the following to upload the actual font files:
{plugins_dir}/*.ttf
{plugins_dir}/*.woff
While you're there, set the Theme file types to upload to the following. Per #Yao's link, the default separators are inconsistent (should all be semicolons, not commas)
*.css;*.js;*.gif;*.png;*.jpg;*.ico;*.ttf;*.otf;*.woff;*.less
In S3 > Permissions > CORS Configuration, change the default
<AllowedHeader>Authorization</AllowedHeader>
to:
<AllowedHeader>*</AllowedHeader>
You should start seeing the necessary Access-Control-Allow-Origin header in the response.
In CloudFront > Distribution > Behaviors, make the following changes:
Change Allowed HTTP Methods to GET, HEAD, OPTIONS (you need OPTIONS)
Change Forward Headers to Whitelist
Under Whitelist Headers, Add >> Origin
To test:
curl -I -s -X GET -H "Origin: www.example.com" https://abcdefg543210.cloudfront.net/wp-content/path/to/foo.ttf
This should give you back the following header:
Access-Control-Allow-Origin: *
X-Cache: Miss from cloudfront
I found this blog post to be pretty helpful:
http://blog.celingest.com/en/2014/10/02/tutorial-using-cors-with-cloudfront-and-s3/
basicly It's because the font isn't set to be shared outside of the domain that you are on, so you can just use it as a resourse for, in this case, https://example.cloudfront.net
This can be changed in the webserver settings though.
The problem may not always be with the origin settings on Nginx or Apache at your web server end.
You will also need to enable CORS on your S3 AWS account for this to work correctly.

Enable opcache from htacces not from .ini file

I set opcache.enable=0 in opcache.ini
Now I want to enable opcache from my htaccess file using
php_flag opcache.enable On
But it is not working
Is there any way, I disable opcache in opcache.ini, and enable in my application's htacces file.
Thanks
The simple reply here is that you can't enable. OPcache is a zend_extension and as such can only be enabled at a system level. However, there is a simple wrinkle here in the opcache.enable is a PHP_INI_ALL directive and can be set to 0 anywhere either at a directory or program context. So having opcache.enable=1 in the system configuration and then setting
php_flag opcache.enable Off
should work, and this will disable caching for the scope of that request
Also read up on the directive opcache.blacklist_filename (which is a bit of a misnomer, BTW). This allows you to define files and file hierarchies that are not to be cached (but once blacklisted you can't then create exceptions or unblacklist files at runtime.
Also since the enable is a PHP_INI_ALL directive, there is nothing stopping you adding a bit of code logic disable caching for the scope of that request in an auto_prepend_file included script instead of using an htaccess php_flag directive, but not that once disabled, you then can't re-enable it, so you can only use the blacklist to control caching at a file level.

how to delete header cache in htaccess?

In my htaccess file there is this :
<FilesMatch "\.(js|css|pdf|txt)$">
Header set Cache-Control "max-age=7257608"
</FilesMatch>
Now, if I wanted to alter a css type file. the css will change if I refreshed the page. Other users still get the old css file because of the cache. what can I do on my side to let the users browsers recognize there is a change in the css file?
Generally rather than setting a cache age in the .htaccess, make sure you're configured to use if-modified-since which is documented in the Apache Caching Guide, using the mod_cache extension:
Generally, it's as simple as this, with exceptions written for secured resources:
LoadModule mem_cache_module modules/mod_mem_cache.so
<IfModule mod_mem_cache.c>
CacheEnable mem /
MCacheSize 4096
MCacheMaxObjectCount 100
MCacheMinObjectSize 1
MCacheMaxObjectSize 2048
</IfModule>

How can I tell whether Apache is using my .htaccess as intended?

I want to prevent google from indexing pdf's on my website.
I have modified my .htaccess file to include the following lines, as suggested by google's webmaster tools:
<Files ~ "\.pdf$">
Header set X-Robots-Tag "noindex, nofollow"
</Files>
I know that apache is running properly and reading my .htaccess file, because I can block access to the file entirely, but I cannot tell whether the above command is working.
The google webmaster tools claim that the crawlers can still see the pdfs, but they seem to be intended for only use with robots.txt. Is there a 3rd party tool (for linux) that I can use to check the meta tags with?
You could use wget on some of the PDFs and look at the headers:
wget -S http://host/something.pdf

Resources