Got below issue when I trying to add below code into httpd.conf file tail:
#iframe config
Header always append X-Frame-Options ALLOW-FROM http://xxxx
Syntax error on line 489 of C:/Program Files (x86)/Apache Software
Foundation/Ap ache2.2/conf/httpd.conf: Invalid command 'Header',
perhaps misspelled or defined by a module not included in the server
configuration
Add/uncomment below loading command
LoadModule headers_module modules/mod_headers.so
Change the line to below
#Header set X-Frame-Options "ALLOW-FROM http://xxxxxx"
#Header set X-Frame-Options "DENY"
Header set X-Frame-Options "SAMEORIGIN"
As the httpd.conf file accept name value pair format parameters, the value must be surround with double quote.
Like:
Header set x-frame-options "DENY"
Related
I use
Header set X-Frame-Options SAMEORIGIN
in .htaccess
But i would like to have 1 html page that isn't blocked when shown in iframe on other websites.....
How can i make 1 exception?
The Header directive provides an additional argument that allows you to set the header conditionally based on whether an environment variable is set or not.
You could then set an env var when this one URL is requested. And only allow the header to be set when the env var is not set.
For example:
SetEnvIf Request_URI "^/one-page-not-blocked\.html$" DO_NOT_BLOCK
Header set X-Frame-Options SAMEORIGIN env=!DO_NOT_BLOCK
The above SetEnvIf directive sets the env var DO_NOT_BLOCK to the value 1 when the regex matches the requested URL.
The env=!DO_NOT_BLOCK argument is successful when the env var is not set (denoted by the ! prefix).
This method allows you to add additional URLs to not block by simply adding more SetEnvIf directives.
I added the
<meta http-equiv="X-Frame-Options" content="deny">
in header.tpl file ,but it not working and throws an error.
X-Frame-Options may only be set via an HTTP header sent along with a document. It may not be set inside .
And I also added the
Header always append X-Frame-Options SAMEORIGIN
line in .htaccess file. But this is also not working.
Then how can I prevent Clickjacking on my Website?
For references : Clickjacking Defense Cheat Sheet | OWASP and X-Frame-Options - HTTP
I suggest you to edit the .htaccess in your PrestaShop root folder installation and, just before the lines identified by "# ~~start~~ Do not remove..." add the following block:
# Extra Security Headers
<IfModule mod_headers.c>
Header set Content-Security-Policy "default-src 'unsafe-inline' 'unsafe-eval' 'self' *.googleapis.com *.gstatic.com;"
Header set X-XSS-Protection "1; mode=block"
Header always append X-Frame-Options SAMEORIGIN
Header set X-Content-Type-Options nosniff
Header set Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
</IfModule>
This will provide protection against:
clickjacking - content sniffing - XSS attacks
I have three environments:
env.com
env-uat.com
env-pre.com
All three pages run the same code. I want env-uat.com and env-pre.com to both get this in the htaccess:
Header set X-Robots-Tag "noindex, nofollow"
This will effectively completely unindex these pages, including PDF files etc. But I don't want to affect env.com.
How can I make the Header X-Robots-Tag only be added for env-uat.com and env-pre.com and NOT env.com?
** UPDATE **
From what I could find so far, it would seem you can only do something like this:
SetEnvIf Request_URI "^/privacy-policy" NOINDEXFOLLOW
Header set X-Robots-Tag "noindex, follow" env=REDIRECT_NOINDEXFOLLOW
But this makes it specific to a PAGE. I want it specific to a DOMAIN.
#Starkeen was right up to here :
SetEnvIf host ^(env-uat\.com|host2\.com)$ NOINDEXFOLLOW
So , you could include the domains that you want to be involved in this Env like this :
SetEnvIf host ^(env-uat|env-pre)\.com NOINDEXFOLLOW
Then you should attach the Env with same name like this :
Header set X-Robots-Tag "noindex, follow" env=NOINDEXFOLLOW
Not like this :
Header set X-Robots-Tag "noindex, follow" env=REDIRECT_NOINDEXFOLLOW
The line above will look to Env its name is REDIRECT_NOINDEXFOLLOW not NOINDEXFOLLOW and it is diffrent case from this question X Robots Tag noindex specific page
That was about matching against Request_URI and for special case .
So , the code should look like this :
SetEnvIf host ^(env-uat|env-pre)\.com NOINDEXFOLLOW
Header set X-Robots-Tag "noindex, follow" env=NOINDEXFOLLOW
You can match against Host header using SetEnvIf directive.
To make the Header X-Robots-Tag only available for a specific host ( env-uat.com ) you could use something like the following :
SetEnvIf host ^env-uat\.com$ NOINDEXFOLLOW
Header set X-Robots-Tag "noindex, follow" env=REDIRECT_NOINDEXFOLLOW
To make this available for multiple hosts ,you could use the following :
SetEnvIf host ^(env-uat\.com|host2\.com)$ NOINDEXFOLLOW
Header set X-Robots-Tag "noindex, follow" env=REDIRECT_NOINDEXFOLLOW
In httpd.conf (Unix / Mac OS Sierra) I've got "Header set X-Frame-Options SAMEORIGIN"
I'd like to override that for a specific directory to
X-Frame-Options ALLOW-FROM SpecificDomain.com
Goal is to allow iframe acess to that directory but no others.
I tried adding the ALLOW-FROM line to an .htaccess file in the target directory but no luck. iFrame is denied, browser console saying "X-Frame-Options" are set to "SAMEORIGIN"
There are compatibility issues with some browsers with the Allow-From parameter for X-Frame-Options response header, chances are you are dealing with a browser which does not support it.
Ideally try this command to see the headers output and make sure the setting you made is being used:
curl -I http://yourserver.example.com/exceptionpath/
If it is, instead of setting that other header you may also want to unset that header in that directory to avoid compatibility issues with that parameter:
Header unset X-Frame-Options
or if the above is not being applied:
Header always unset X-Frame-Options
Sidenote: If you are the admin of the site you don't need to use .htaccess if you have access to main configuration files, set in the appropiate Directory entry instead. Disable .htaccess files altogether with AllowOverride none. Configurations will be simpler and you will gain a bit of performance by not forcing httpd to constantly read that file several times with each hit.
I have two .htaccess file. One is in the root and the second one is in subfolder. At root I set the Access-Control-Allow-Origin like this:
Header add Access-Control-Allow-Origin "http://mypage.de"
Header add Access-Control-Allow-Origin "http://www.mypage.de"
The subfolder is the target of a subdomain and I just want to set the Access-Control-Allow-Origin to both variants of the subdomain like this:
Header add Access-Control-Allow-Origin "http://sub.mypage.de"
Header add Access-Control-Allow-Origin "http://www.sub.mypage.de"
The problem is that I get on my subdomain a 400 bad request error because the 2 definitions from my root are also added to the request when calling the subdomain. Is there a way to reset Access-Control-Allow-Origin or to exclude the subfolder from using the header rules from the root htaccess? Thanks.
In the subfolder, add this before your lines
Header unset Access-Control-Allow-Origin
That should clear the previous headers