Security issue with .htaccess - .htaccess

Firstly I tried adding multiple ifmodule but it does not work.
<ifModule mod_headers.c>
Header set Access-Control-Allow-Origin: http://domainurl1.com
</ifModule>
<ifModule mod_headers.c>
Header set Access-Control-Allow-Origin: http://domainurl2.com
</ifModule>
When try to add multiple ifmodule only last one(http://domainurl2.com) works others not.
then I try following code it works but i think it is not secure to allow everyone
<ifModule mod_headers.c>
Header set Access-Control-Allow-Origin: “*”
</ifModule>
I have 5 domain that i have to allow.
Are there any solutions for adding multiple domains that i want to allow?

Try this if you want a quick fix
<ifModule mod_headers.c>
Header add Access-Control-Allow-Origin "http://domainurl1.com"
Header add Access-Control-Allow-Origin "http://domainurl2.com"
</ifModule>
However, this is not the recommended solution by W3C, instead you should make the server read the Origin header from the client, then compare it to a list of allowed domains and finally send the value of the Origin header back to the client as the Access-Control-Allow-Origin header. Check http://www.w3.org/TR/cors/#access-control-allow-origin-response-hea for more details.

Related

Header set Access-Control-Allow-Origin "*" is not working and icons are not showed up

<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin "*"
</IfModule>
this code inside .htaccess file but still icons are not showed up in website. I checked everythink.
also i have on the top of index.php
header('Access-Control-Allow-Origin: *');
also i see in page headers like that in chrome
but icons are still like that
I realized that litespeed caching my .htaccess file so my changes didn't applied. So i disabled litespeed cache inside .htaccess file
<IfModule LiteSpeed>
CacheDisable public /
</IfModule>
after i realized that i forgot output caches on my views. I closed them by adding
header("Cache-Control: no-store, no-cache, must-revalidate, max-age=0");
header("Cache-Control: post-check=0, pre-check=0", false);
header("Pragma: no-cache");
and after all that i put
<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin "*"
</IfModule>
in to my .htaccess. And then everything worked fine...

Leverage browser caching not working and resources duplicating

I am having problems with my leverage browser caching. It seems that my resources are not fetched from cache and as you can see on the image below some of them are duplicating. I have these meta tag:
<meta http-equiv="Cache-Control" content="private, max-age=216000">
Also I got this on my .htaccess:
<IfModule mod_headers.c>
# Set the cache-control max-age
<FilesMatch ".(ico|pdf|flv|jpg|jpeg|png|gif|js|css|swf)$">
Header set Cache-Control "max-age=172800, public"
</FilesMatch>
# 2 DAYS
<FilesMatch ".(xml|txt)$">
Header set Cache-Control "max-age=172800, public, must-revalidate"
</FilesMatch>
# 4 HOURS
<FilesMatch ".(html|htm)$">
Header set Cache-Control "max-age=14400, must-revalidate"
</FilesMatch>
# Turn off the ETags
Header unset ETag
FileETag None
# Turn off the Last Modified header except for html docs
<FilesMatch ".(ico|pdf|flv|jpg|jpeg|png|gif|js|css)$">
Header unset Last-Modified
</FilesMatch>
Thanks
Ok, as I see from your screenshot, you haven't set any caching headers. Even though you said that you did, I can't see them on screenshot.
Here is an explanation of how caching headers work if you need it, just in case: Cache-Control headers, max-age defined but back button always deliver web cache data
To make caching more efficient, you can load common libraries from public CDNs. For example you can load JQuery from their official CDN: look here

htaccess: content doesn't seem to get cache'd

This is my code for cacheing my website in the user's browsers:
## EXPIRES CACHING ##
<IfModule mod_expires.c>
Header unset Pragma
FileETag None
Header unset ETag
# cache images/pdf docs for 30 days
<FilesMatch "\.(ico|pdf|jpg|jpeg|png|gif|js|ttf|woff|eot|svg)$">
Header set Cache-Control "max-age=2592000, public, must-revalidate"
Header unset Last-Modified
</FilesMatch>
# cache html/htm/xml/txt diles for 10 days
<FilesMatch "\.(html|htm|xml|txt|xsl|css|php)$">
Header set Cache-Control "max-age=864000, must-revalidate"
</FilesMatch>
</IfModule>
## EXPIRES CACHING ##
When I check my website's performance on http://developers.google.com/speed/pagespeed/insights/ it doesn't seem like it's getting cache'd.
Is there anything wrong with the code? Or could it have something to do with a deeper server setting?
Thanks!
I solved the issue by installing mod_headers and mod_expires on the server. Quite useful if you're going to use their functions...

ExpiresByType not working but <FilesMatch> IS in .htaccess?

I've been rather perplexed by this and was hoping someone might be able to shed some light.
In my htaccess file, I have:
<IfModule mod_expires.c>
ExpiresActive on
ExpiresByType text/html "access plus 4 hours"
</IfModule>
However, it doesnt seem to be working when I check the headers.
I get "no-store, no-cache, must-revalidate, post-check=0, pre-check=0"
But if I use THIS code:
# 4 HOURS
<FilesMatch "\.(html|htm)$">
Header set Cache-Control "max-age=14400, must-revalidate"
</FilesMatch>
It DOES pick up the cache.
max-age=14400, must-revalidate
Am I missing something? Is one for the server and one for the browser? I mean, I'd prefer to use the first since it came with boilerplate if they are both the same.
Thanks in advance!
I don't know if you already have the solution but are you sure mod_expire is enabled on your server? On ubuntu sudo apache2ctl -M.
You can also try to comment out <IfModule mod_expires.c> and </IfModule> and restart apache. It will crash if mod_expires is not enabled.
To enable mod_expire:
sudo a2enmod expires
mod_expires will create the Expire header and should modify the max-age=14400 part of the Cache-Control header only. For the must-revalidate part you will have to use Header.

Header set Access-Control-Allow-Origin in .htaccess doesn't work

I can't figure out why my .htaccess header settings doesn't work.
My .htaccess file content:
Header set Access-Control-Allow-Origin *
Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
Header always set Access-Control-Allow-Headers "*"
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ index.php [QSA,L]
But when I remove Header's and add them in index.php then everything works fine.
header("Access-Control-Allow-Origin: *");
header("Access-Control-Allow-Methods: PUT, GET, POST, DELETE, OPTIONS");
header("Access-Control-Allow-Headers: *");
What am i missing?
This should work:
Header add Access-Control-Allow-Origin "*"
Header add Access-Control-Allow-Headers "origin, x-requested-with, content-type"
Header add Access-Control-Allow-Methods "PUT, GET, POST, DELETE, OPTIONS"
Just for the record, I was running into the exact same problem and none of the answers worked.
I used a headers checker tool: http://www.webconfs.com/http-header-check.php
I was testing with my IP (http://192.0.2.1/upload) and what came back was the following:
HTTP/1.1 301 Moved Permanently =>
Date => Sat, 10 Jan 2015 04:03:35 GMT
Server => Apache/2.2.21 (Win32) mod_ssl/2.2.21 OpenSSL/1.0.0e PHP/5.3.8 mod_perl/2.0.4 Perl/v5.10.1
Location => http://192.0.2.1/upload/
Content-Length => 380
Connection => close
Content-Type => text/html; charset=iso-8859-1
There was a redirection happening and the AJAX request does not honor/follow redirects.
It turned out to be the missing slash at the end of the domain (http://192.0.2.1/upload/)
I tested again with slash at the end and I got this below. Added a slash in the script too, and it was now working.
HTTP/1.1 200 OK =>
Date => Sat, 10 Jan 2015 04:03:53 GMT
Server => Apache/2.2.21 (Win32) mod_ssl/2.2.21 OpenSSL/1.0.0e PHP/5.3.8 mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By => PHP/5.3.8
Access-Control-Allow-Origin => *
Access-Control-Allow-Methods => PUT, GET, POST, DELETE, OPTIONS
Access-Control-Allow-Headers => *
Content-Length => 1435
Connection => close
Content-Type => text/html
Use this tool to test if your headers are good and to troubleshoot what is happening.
I have a shared hosting on GoDaddy. I needed an answer to this question, too, and after searching around I found that it is possible.
I wrote an .htaccess file, put it in the same folder as my action page. Here are the contents of the .htaccess file:
Header add Access-Control-Allow-Origin "*"
Header add Access-Control-Allow-Headers "origin, x-requested-with, content-type"
Header add Access-Control-Allow-Methods "PUT, GET, POST, DELETE, OPTIONS"
Here is my ajax call:
$.ajax({
url: 'http://www.mydomain.com/myactionpagefolder/gbactionpage.php', //server script to process data
type: 'POST',
xhr: function() { // custom xhr
myXhr = $.ajaxSettings.xhr();
if(myXhr.upload){ // check if upload property exists
myXhr.upload.addEventListener('progress',progressHandlingFunction, false); // for handling the progress of the upload
}
return myXhr;
},
//Ajax events
beforeSend: beforeSendHandler,
success: completeHandler,
error: errorHandler,
// Form data
data: formData,
//Options to tell JQuery not to process data or worry about content-type
cache: false,
contentType: false,
processData: false
});
See this article for reference:
Header set Access-Control-Allow-Origin in .htaccess doesn't work
Be careful on:
Header add Access-Control-Allow-Origin "*"
This is not judicious at all to grant access to everybody. It's preferable to allow a list of know trusted host only...
Header add Access-Control-Allow-Origin "http://aaa.example"
Header add Access-Control-Allow-Origin "http://bbb.example"
Header add Access-Control-Allow-Origin "http://ccc.example"
Regards,
I activated the Apache module headers a2enmod headers, and the issue has been solved.
Try this in the .htaccess of the external root folder
<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin "*"
</IfModule>
Be careful with doing Header add Access-Control-Allow-Origin "*" This is not judicious at all to grant access to everybody. I think you should user:
<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin "http://example.com"
</IfModule>
I +1'd Miro's answer for the link to the header-checker site http://www.webconfs.com/http-header-check.php. It pops up an obnoxious ad every time you use it, but it is, nevertheless, very useful for verifying the presence of the Access-Control-Allow-Origin header.
I'm reading a .json file from the javascript on my web page. I found that adding the following to my .htaccess file fixed the problem when viewing my web page in IE 11 (version 11.447.14393.0):
<FilesMatch "\.(json)$">
<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin "*"
</IfModule>
</FilesMatch>
I also added the following to /etc/httpd.conf (Apache's configuration file):
AllowOverride All
The header-checker site verified that the Access-Control-Allow-Origin header is now being sent (thanks, Miro!).
However, Firefox 50.0.2, Opera 41.0.2353.69, and Edge 38.14393.0.0 all fetch the file anyhow, even without the Access-Control-Allow-Origin header. (Note: they might be checking IP addresses, since the two domains I was using are both hosted on the same server, at the same IPv4 address.)
However, Chrome 54.0.2840.99 m (64-bit) ignores the Access-Control-Allow-Origin header and fails anyhow, erroneously reporting:
No 'Access-Control-Allow-Origin' header is present on the requested
resource. Origin '{mydomain}' is therefore not allowed access.
I think this has got to be some sort of "first." IE is working correctly; Chrome, Firefox, Opera and Edge are all buggy; and Chrome is the worst. Isn't that the exact opposite of the usual case?
After spending half a day with nothing working.
Using a header check service though everything was working.
The firewall at work was stripping them
try this:
<IfModule mod_headers.c>
Header set Access-Control-Allow-Credentials true
Header set Access-Control-Allow-Origin "your domain"
Header set Access-Control-Allow-Headers "X-Requested-With"
</IfModule>
It's preferable to allow a list of know trusted host.
If anyone else is trying this, the most upvoted answer should work. However, if you are having issues it could be possible the browser has cached the REQUEST. To confirm append a query string.
To complete the most upvoted answer, I want to add the case whenever the options to the header is not add in a response request, you could add the always keyword from Apache.
In my case i needed to add the access control allow origin in the response of the redirection and not in the result of the redirection.
And a redirection is giving the 302 code status so the header wasn't filled with the correct information.
In this case I needed to add it :
Header always set Access-Control-Allow-Origin "*"
For more information you can check this thread :
Apache: difference between "Header always set" and "Header set"?

Resources