htaccess Header Set doesn't set
I've tried setting a few basic security headers from an htaccess file. For PHP and HTM (no L) files with rewrites I don't see the headers being set in Chrome. HTML files, JPG images, etc seem to receive the set headers as expected. So php and rewriting seems to be the issue at the moment. Here are the headers I'm trying to set along with a basic forced https on rule:
RewriteCond %{HTTPS} off
RewriteRule (.*)
Header set X-Frame-Options "SAMEORIGIN"
Header set X-XSS-Protection "1; mode=block"
Max age 300 is just for testing so please ignore the specific values unless the syntax is wrong. I can't force strict transport security on all domain names on the server for example. This particular domain has a purchased SSL. Server is GoDaddy dedicated. Possible WHM setting conflicts could be "Symlink Protection = On" and "Use a Global DCV Passthrough instead of .htaccess modification = On".
How do I get PHP and sym HTM links to show these headers?
Thanks.
-
I was able to set these using php as a fallback. If the headers are not set then set them just prior to printing the page. If there's a better way please share. Thanks. [PHP]if (!headers_sent()) { $headers_list = headers_list(); if (!in_array("X-XSS-Protection", $headers_list)) {header("X-XSS-Protection: 1; mode=block"); } if (!in_array("X-Content-Type-Options", $headers_list)) {header("X-Content-Type-Options: nosniff"); } if (!in_array("X-Frame-Options", $headers_list)) {header("X-Frame-Options: SAMEORIGIN"); } if (!in_array("Strict-Transport-Security", $headers_list)) {header("Strict-Transport-Security: max-age=2592000; includeSubDomains"); } if (!in_array("Content-Security-Policy", $headers_list)) {header("Content-Security-Policy: upgrade-insecure-requests"); } if (!in_array("Referrer-Policy", $headers_list)) {header("Referrer-Policy: strict-origin-when-cross-origin"); } }[/PHP] 0 -
Do you have mod_headers installed in easyapache4? htaccess "Header set" won't work without it. 0 -
And once you get mod_headers working in your htaccess files... Your Header set Pragma "no-cache"
syntax is valid.0 -
As fuzzylogic pointed out, you'll need to ensure mod_headers is installed. On EA4 systems, you'll need to install `ea-apache24-mod_headers'. This could also be due to your PHP handler. Would you happen to be using CGI? If so, please see the Apache doc below: Apache Tutorial: Dynamic Content with CGI - Apache HTTP Server Version 2.4 Missing environment variables If your CGI program depends on non-standard , section 4.2: Header names must start with a letter, followed only by letters, numbers or hyphen. Any header violating this rule will be dropped silently.
If using CGI, it's likely your variables are being stripped as a security measure. They'll need to be defined directly in an Apache configuration, such as userdata includes, or you'll need to use another handler: Modify Apache Virtual Hosts with Include Files - EasyApache 4 - cPanel Documentation0 -
Do you have mod_headers installed in easyapache4? htaccess "Header set" won't work without it.
WHM Home > Software > EasyApache4 > View all packages (currently installed) Apache 2.4 mod_bwlimited mod_cgi mod_deflate mod_expires mod_headers mod_mpm_prefork mod_ruid2 mod_security2 mod_ssl mod_unique_id I didn't want to paste the PHP and Others packages installed, not sure if I should post them here in a public forum. This is a "custom" profile but can be altered if needed. I noticed that the recommended profiles in WHM are a bit different. Security is always of concern to me for Ecommerce and Wordpress website builds, MariaDB use etc. I read the comments about CGI as a possible issue. Is that all saying that adding the keyword "always" should fix the problem given the packages listed, package changes recommended instead?0 -
I didn't see anything in the Apache CGI documentation about "always". Did it correct your issue? Did temporarily changing the PHP handler correct the issue? 0 -
I didn't see anything in the Apache CGI documentation about "always". Did it correct your issue? Did temporarily changing the PHP handler correct the issue?
The "always" condition is mentioned in the mod_headers doc. I have not tried it yet as others have pointed to CGI as the issue. The PHP header method is working. I'll have to move onto HTTP2 and review package requirements before revisiting this issue. Thanks for your input!0 -
@cPWilliamL @fuzzylogic OK I believe I found the solution and it passes the necessary Google HSTS test up to the "preload" status (I don't want to preload). The issue seems to be with htaccess redirecting and not specific to CGI or my Apache settings. Notice the "E=HTTPS" flag on the www redirect. Here is the htaccess HSTS part to simplify. # Redirect to https RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] # Redirect to www RewriteCond %{HTTP_HOST} ^yourdomain\.com [NC] RewriteRule (.*) https://www.yourdomain.com/$1 [E=HTTPS,R=301,L] # Security header Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" env=HTTPS
Google's tool tipped me off that they want to see two redirects not one. The env=HTTPS environment variable wasn't working as expected. So I used the E=HTTPS flag on the www redirect to set the env=HTTPS environment variable on the next request. Apache 2.4 Env Docs Environment Variables in Apache - Apache HTTP Server Version 2.4 Test with these two: HSTS Preload List Submission (Google) Analyse your HTTP response headers If anyone wants to add to this or confirm the fix feel free. I doubt I'm the only one having trouble with this.0 -
@cPWilliamL @fuzzylogic OK I believe I found the solution and it passes the necessary Google HSTS test up to the "preload" status (I don't want to preload). The issue seems to be with htaccess redirecting and not specific to CGI or my Apache settings. Notice the "E=HTTPS" flag on the www redirect. Here is the htaccess HSTS part to simplify.
# Redirect to https RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] # Redirect to www RewriteCond %{HTTP_HOST} ^yourdomain\.com [NC] RewriteRule (.*) https://www.yourdomain.com/$1 [E=HTTPS,R=301,L] # Security header Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" env=HTTPS
Google's tool tipped me off that they want to see two redirects not one. The env=HTTPS environment variable wasn't working as expected. So I used the E=HTTPS flag on the www redirect to set the env=HTTPS environment variable on the next request. Apache 2.4 Env Docs Environment Variables in Apache - Apache HTTP Server Version 2.4 Test with these two: HSTS Preload List Submission (Google) Analyse your HTTP response headers If anyone wants to add to this or confirm the fix feel free. I doubt I'm the only one having trouble with this.
This my htaccess but still this site check giving error. Error: No HSTS header and Error: HTTP redirects to www first. Please let me know this fix, ThanksRewriteEngine On # Force www: RewriteCond %{HTTP_HOST} !^$ RewriteCond %{HTTP_HOST} !^www\. [NC] RewriteCond %{HTTPS}s ^on(s)| RewriteRule ^ http%1://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L] # Force SSL: RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] # Security header Enable HSTS Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" env=HTTPS
What is correct rules for Enable HSTS ?Header set Strict-Transport-Security "max-age=31536000" env=HTTPS or Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" env=HTTPS or Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" preload env=HTTPS0 -
Error: No HSTS header and Error: HTTP redirects to www first.
I see that you quoted my working rules but your example doesn't follow them. The HSTS test error says that you redirected www first, your first rule is "Force www". And you also did not set the E=HTTPS flag. Try to copy and paste the three rules I created to replace yours. Change "yourdomain" of course. Do not change the order of the rules. Do not combine them with other rules or conditions. You can add rules below these three lines as needed.0 -
I see that you quoted my working rules but your example doesn't follow them. The HSTS test error says that you redirected www first, your first rule is "Force www". And you also did not set the E=HTTPS flag. Try to copy and paste the three rules I created to replace yours. Change "yourdomain" of course. Do not change the order of the rules. Do not combine them with other rules or conditions. You can add rules below these three lines as needed.
So is this correct rules? Please let me know.RewriteEngine On # Force www: RewriteCond %{HTTP_HOST} !^www\. [NC] RewriteRule ^ http%1://www.%{HTTP_HOST}%{REQUEST_URI} [E=HTTPS,R=301,L] # Force SSL: RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] # Security header Enable HSTS Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" env=HTTPS0 -
So is this correct rules?
Not correct. You changed the order of the rules. Here is my code copy from above in the chain:# Redirect to https RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] # Redirect to www RewriteCond %{HTTP_HOST} ^yourdomain\.com [NC] RewriteRule (.*) https://www.yourdomain.com/$1 [E=HTTPS,R=301,L] # Security header Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" env=HTTPS
I would suggest that you hard code the domain name as I have shown in the example also.0 -
Not correct. You changed the order of the rules. Here is my code copy from above in the chain:
# Redirect to https RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] # Redirect to www RewriteCond %{HTTP_HOST} ^yourdomain\.com [NC] RewriteRule (.*) https://www.yourdomain.com/$1 [E=HTTPS,R=301,L] # Security header Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" env=HTTPS
I would suggest that you hard code the domain name as I have shown in the example also.
One more ask, How to work HSTS preload?0 -
...passes the necessary Google HSTS test up to the "preload" status... Test with these two: HSTS Preload List Submission (Google) Analyse your HTTP response headers
Please start a new thread if you want advice on preload. My advice is simply DO NOT PRELOAD. I am suggesting that you pass the test up to the point you only get the preload error. Also review your headers in your browser F12 dev tools.0 -
Please start a new thread if you want advice on preload. My advice is simply DO NOT PRELOAD. I am suggesting that you pass the test up to the point you only get the preload error. Also review your headers in your browser F12 dev tools.
Thanks for your great support, Now all are working without any issue.RewriteEngine On # Force SSL: RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] # Force www: RewriteCond %{HTTP_HOST} !^www\. RewriteRule ^(.*)$ https://www.%{HTTP_HOST}%{REQUEST_URI} [E=HTTPS,R=301,L] # Security header Enable HSTS Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS0
Please sign in to leave a comment.
Comments
15 comments