We are using lighttpd web server in our code base. It is that we need to add SECURE and HTTP ONLY flags for the cookie.
I have gone through many examples but all are related to PHP and some other kanguage. We don't use PHP in our code. Is there anyway that I can get this? Can anything be done in the .conf file like in apache web server.
I have tested apache web server by adding changes in the httpd.conf and checked the packet capture. It worked. But unable to achieve this in lighttpd.
We use C language in the backend.
Well, To answer my own question.
There is nothing to do with the lighttpd.conf as of httpd.conf for apache.
We are setting the cookie header in a lua file(Kepler). Appending secure to that cookie header fixed the issue.
Related
Premise
I need a way to remove the X-Frame-Options header from the responses from a few websites before those responses reach my browser.
I am doing this so that I can properly render my custom kiosk webpage, which has iframes that point to websites that don't want to show up in frames.
What I have tried
I have tried setting up a proxy using squid and configuring its reply_header_access option to deny X-Frame-Options headers as the server receives them, but that is for some reason not working as anticipated. I have verified that I am indeed going through the Squid proxy, and I have verified that the X-Frame-Options header persists despite my squid.conf file containing the following:
reply_header_access X-Frame-Options deny all
and having built squid (using Homebrew on my Mac) with the --enable-http-violations option.
Having chased down a lot of what might have gone wrong with this approach, I have decided that the reply_header_access option must not do exactly what I thought it does (modify headers before returning them to the client).
So, I tried using another proxy server. After reading a Stack Overflow question asking about a situation roughly similar to mine, I decided I might try using the node-http-proxy library. However, I have never used Node before, so I got lost pretty quickly and am stuck at a point where I am not sure how to implement the library for my specific purpose.
Question
Using Node seems like a potentially very easy solution, so how can I set up a proxy using Node that removes the X-Frame-Options header from responses?
Alternatively, why is Squid not removing the header even though I tried to set it up to do so?
Final alternative: Is there an easier way to reach my ultimate goal of rendering any page I want within an iframe?
I used a proxy, specifically mitmproxy with the following script:
drop_unwanted_headers.py:
import mitmproxy
def requestheaders(flow: mitmproxy.http.HTTPFlow) -> None:
for each_key in flow.request.headers:
if each_key.casefold().startswith("sec-".casefold()):
flow.request.headers.pop(each_key)
def responseheaders(flow: mitmproxy.http.HTTPFlow) -> None:
if "x-frame-options" in flow.response.headers:
flow.response.headers.pop("x-frame-options")
if "content-security-policy" in flow.response.headers:
flow.response.headers.pop("content-security-policy")
To run it, do:
mitmproxy --script drop_unwanted_headers.py
Also ensure that your proxy settings point to the computer where the proxy server is running (maybe localhost) and the correct port is used.
I'm using Nginx as a reverse proxy server. Is it possible to Remove the "secure" flag to the cookies somehow using Nginx? Modifying the path is possible so I guess it's also possible to modify cookie.
An imperfect method:
proxy_cookie_path "~*^(.*?)$" $1\nX-User-Value:;
I know this is quite old question, but there is no answer here and I couldn't find fine solution for the same problem.
So I forked nginx_cookie_flag_module module and changed it to nginx_unsecure_cookie_module:
https://github.com/yumauri/nginx_unsecure_cookie_module
I'm frontend developer, my C/C++ knowledges are super low, but looks like it is working in my tests :) So I reckon it is good enough for development reasons.
Since nginx 1.19.3 you can use http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cookie_flags. For example:
proxy_cookie_flags some_cookie nosecure;
To remove the Secure flag from all cookies:
proxy_cookie_flags ~ nosecure;
I've got mod_pagespeed installed under apache2/php5-fpm and it's working fine on my domain that isn't using SSL (it's combining css and js no probs), however when I access the SSL version of the same site, it no longer works. I've tried setting the variable:
ModPagespeedFetchHttps enable
But it still is not working. The site is behind basic auth security, would this matter?
I can see in the response headers under the SSL version of the site that mod_pagespeed is there, but it's not working it's magic.
Does accessing resources require authentication? If so, then mod_pagespeed probably is not able to access them (it just does an http fetch for resources to rewrite).
Are the same resources available on http? If so, you're best bet might be MapOriginDomain:
ModPagespeedMapOriginDomain http://www.example.com/ https://www.example.com/
This will fetch all resources with HTTP even when the page is requested with HTTPS. So this would avoid the authentication issue.
See also, https://developers.google.com/speed/pagespeed/module/https_support for more help with various HTTPS issues.
In addition to the above answer, also make sure you have added the directory for the ModPagespeedSslCertFile in your config file.
Check "Configuring SSL Certificates" at
https://developers.google.com/speed/pagespeed/module/https_support
We have hosted our website with external agency, in the Linux environment.
now we have added cookies in our website code and want to track cookie in access.log. when we requested with our domain host provider they turn down the request to modify apache2.config file, instead they suggested to use .htaccess file to enable cookie in access.log. Right now we do not want to use any other method to log cookie other than .htaccess file.
we did not find any solutions to enable cookie in access.log using .htaccess file.
we need following questions to be answered.
1) Is it possible to use .htaccess file to enable cookie in access.log
2) If yes, steps to make it and it will be greatly appreciated if it is explained keeping it in mind that user is a layman.
As far as I know you cannot customize log files from .htaccess. And I think there is a valid reason of disabling this as it may impose security issues in a shared environment.
You would need to have the host enable mod_usertrack. Then they would need to allow you to override the configuration settings with .htaccess.
LogFormat "%{Apache}n %r %t" usertrack
CustomLog logs/clickstream.log usertrack
I track cookies, users, sessions, browsers, everything in a MySQL database. It's a lot easier to access the data with stats than log mining. (It does take up a bit of room though.)
I have a CppCMS based application and I cant use IIS's FastCGI connector as
it is broken for my use thus I want to try to
use the internal HTTP server designed for debug purposes behind IIS.
I it is quite simple web server for an application that handles basic HTTP/1.0 requests
and does not care too much about security like DoS, file serving and more.
So I'd like to know if it is possible to use IIS in front of such application such that
it would:
Sanitize all requests - ensure that they are proper HTTP
Handle all DoS issues like timeouts
Serve the static files.
Is this something that can be configured and done at all?
I would suggest this is the wrong way of doing this. I would use a web server like Nginx to proxy the requests through to backend server. It is very configurable and you will find a lot of articles with doing it to Apache.
We just did something like this. You want the URL Rewriter module. You can use it to sanitize the URLs, however, it isn't going to sanitize the payload. Which is to say, you can make sure that the URLs that hit your box are very specific ones, e.g. not attempts to hits CGI, but you can't use it to make sure that the contents of an upload are safe.
ModSecurity is out for IIS now, it can handle lots of the security related issues.