Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SOLVED htaccess Header Set doesn't set

Discussion in 'Security' started by John Napoletano, Oct 17, 2017.

  1. John Napoletano

    Joined:
    Mar 17, 2016
    Messages:
    15
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Twitter:
    I've tried setting a few basic security headers from an htaccess file. For PHP and HTM (no L) files with rewrites I don't see the headers being set in Chrome. HTML files, JPG images, etc seem to receive the set headers as expected. So php and rewriting seems to be the issue at the moment. Here are the headers I'm trying to set along with a basic forced https on rule:

    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

    Header set Strict-Transport-Security "max-age=300; includeSubDomains" env=HTTPS
    Header set Content-Security-Policy "upgrade-insecure-requests" env=HTTPS
    Header set X-Content-Type-Options "nosniff"
    Header unset "X-Powered-By"
    <FilesMatch "\.(htm|html|php)$">
    Header set X-Frame-Options "SAMEORIGIN"
    Header set X-XSS-Protection "1; mode=block"
    </FilesMatch>

    Max age 300 is just for testing so please ignore the specific values unless the syntax is wrong. I can't force strict transport security on all domain names on the server for example. This particular domain has a purchased SSL. Server is GoDaddy dedicated. Possible WHM setting conflicts could be "Symlink Protection = On" and "Use a Global DCV Passthrough instead of .htaccess modification = On".

    How do I get PHP and sym HTM links to show these headers?

    Thanks.
     
    #1 John Napoletano, Oct 17, 2017
    Last edited: Oct 18, 2017
  2. John Napoletano

    Joined:
    Mar 17, 2016
    Messages:
    15
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Twitter:
    I was able to set these using php as a fallback. If the headers are not set then set them just prior to printing the page. If there's a better way please share. Thanks.

    PHP:
    if (!headers_sent()) {
        
    $headers_list headers_list();
        if (!
    in_array("X-XSS-Protection"$headers_list)) {header("X-XSS-Protection: 1; mode=block"); }
        if (!
    in_array("X-Content-Type-Options"$headers_list)) {header("X-Content-Type-Options: nosniff"); }
        if (!
    in_array("X-Frame-Options"$headers_list)) {header("X-Frame-Options: SAMEORIGIN"); }
        if (!
    in_array("Strict-Transport-Security"$headers_list)) {header("Strict-Transport-Security: max-age=2592000; includeSubDomains"); }
        if (!
    in_array("Content-Security-Policy"$headers_list)) {header("Content-Security-Policy: upgrade-insecure-requests"); }
        if (!
    in_array("Referrer-Policy"$headers_list)) {header("Referrer-Policy: strict-origin-when-cross-origin"); }
    }
     
    #2 John Napoletano, Oct 17, 2017
    Last edited: Oct 18, 2017
  3. fuzzylogic

    fuzzylogic Well-Known Member

    Joined:
    Nov 8, 2014
    Messages:
    72
    Likes Received:
    35
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Do you have mod_headers installed in easyapache4?
    htaccess "Header set" won't work without it.
     
  4. fuzzylogic

    fuzzylogic Well-Known Member

    Joined:
    Nov 8, 2014
    Messages:
    72
    Likes Received:
    35
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    And once you get mod_headers working in your htaccess files...
    Your
    Code:
    <FilesMatch "\.(htm|html|php)$">
        Header set Pragma "no-cache"
    </FilesMatch>
    syntax is valid.
     
  5. cPWilliamL

    cPWilliamL cP Technical Analyst II
    Staff Member

    Joined:
    May 15, 2017
    Messages:
    257
    Likes Received:
    29
    Trophy Points:
    103
    Location:
    America
    cPanel Access Level:
    Root Administrator
    As fuzzylogic pointed out, you'll need to ensure mod_headers is installed. On EA4 systems, you'll need to install `ea-apache24-mod_headers'. This could also be due to your PHP handler. Would you happen to be using CGI? If so, please see the Apache doc below:
    Apache Tutorial: Dynamic Content with CGI - Apache HTTP Server Version 2.4
    If using CGI, it's likely your variables are being stripped as a security measure. They'll need to be defined directly in an Apache configuration, such as userdata includes, or you'll need to use another handler:
    Modify Apache Virtual Hosts with Include Files - EasyApache 4 - cPanel Documentation
     
    John Napoletano likes this.
  6. John Napoletano

    Joined:
    Mar 17, 2016
    Messages:
    15
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Twitter:
    WHM Home > Software > EasyApache4 > View all packages (currently installed)

    Apache 2.4

    mod_bwlimited
    mod_cgi
    mod_deflate
    mod_expires
    mod_headers
    mod_mpm_prefork
    mod_ruid2
    mod_security2
    mod_ssl
    mod_unique_id


    I didn't want to paste the PHP and Others packages installed, not sure if I should post them here in a public forum. This is a "custom" profile but can be altered if needed. I noticed that the recommended profiles in WHM are a bit different. Security is always of concern to me for Ecommerce and Wordpress website builds, MariaDB use etc.

    I read the comments about CGI as a possible issue. Is that all saying that adding the keyword "always" should fix the problem given the packages listed, package changes recommended instead?
     
    #6 John Napoletano, Oct 19, 2017
    Last edited by a moderator: Oct 23, 2017
  7. cPWilliamL

    cPWilliamL cP Technical Analyst II
    Staff Member

    Joined:
    May 15, 2017
    Messages:
    257
    Likes Received:
    29
    Trophy Points:
    103
    Location:
    America
    cPanel Access Level:
    Root Administrator
    I didn't see anything in the Apache CGI documentation about "always". Did it correct your issue? Did temporarily changing the PHP handler correct the issue?
     
  8. John Napoletano

    Joined:
    Mar 17, 2016
    Messages:
    15
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Twitter:
    The "always" condition is mentioned in the mod_headers doc. I have not tried it yet as others have pointed to CGI as the issue. The PHP header method is working. I'll have to move onto HTTP2 and review package requirements before revisiting this issue.

    Thanks for your input!
     
  9. John Napoletano

    Joined:
    Mar 17, 2016
    Messages:
    15
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Twitter:
    @cPWilliamL
    @fuzzylogic

    OK I believe I found the solution and it passes the necessary Google HSTS test up to the "preload" status (I don't want to preload). The issue seems to be with htaccess redirecting and not specific to CGI or my Apache settings. Notice the "E=HTTPS" flag on the www redirect. Here is the htaccess HSTS part to simplify.

    Code:
    # Redirect to https
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
    
    # Redirect to www
    RewriteCond %{HTTP_HOST} ^yourdomain\.com [NC]
    RewriteRule (.*) https://www.yourdomain.com/$1 [E=HTTPS,R=301,L]
    
    # Security header
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" env=HTTPS
    
    Google's tool tipped me off that they want to see two redirects not one. The env=HTTPS environment variable wasn't working as expected. So I used the E=HTTPS flag on the www redirect to set the env=HTTPS environment variable on the next request.

    Apache 2.4 Env Docs
    Environment Variables in Apache - Apache HTTP Server Version 2.4

    Test with these two:
    HSTS Preload List Submission (Google)
    Analyse your HTTP response headers

    If anyone wants to add to this or confirm the fix feel free. I doubt I'm the only one having trouble with this.
     
    #9 John Napoletano, Oct 22, 2017
    Last edited: Oct 22, 2017
  10. Nirjonadda

    Nirjonadda Well-Known Member

    Joined:
    May 8, 2013
    Messages:
    557
    Likes Received:
    14
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    This my htaccess but still this site check giving error. Error: No HSTS header and Error: HTTP redirects to www first. Please let me know this fix, Thanks

    Code:
    RewriteEngine On
    
    # Force www:
    RewriteCond %{HTTP_HOST} !^$
    RewriteCond %{HTTP_HOST} !^www\. [NC]
    RewriteCond %{HTTPS}s ^on(s)|
    RewriteRule ^ http%1://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
    
    # Force SSL:
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
    
    # Security header Enable HSTS
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" env=HTTPS

    What is correct rules for Enable HSTS ?

    Code:
    Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
    
    or
    
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" env=HTTPS
    
    or
    
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" preload env=HTTPS
     
    #10 Nirjonadda, Dec 30, 2017
    Last edited: Dec 30, 2017
  11. John Napoletano

    Joined:
    Mar 17, 2016
    Messages:
    15
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Twitter:
    I see that you quoted my working rules but your example doesn't follow them. The HSTS test error says that you redirected www first, your first rule is "Force www". And you also did not set the E=HTTPS flag.

    Try to copy and paste the three rules I created to replace yours. Change "yourdomain" of course. Do not change the order of the rules. Do not combine them with other rules or conditions. You can add rules below these three lines as needed.
     
  12. Nirjonadda

    Nirjonadda Well-Known Member

    Joined:
    May 8, 2013
    Messages:
    557
    Likes Received:
    14
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    So is this correct rules? Please let me know.

    Code:
    RewriteEngine On
    
    # Force www:
    RewriteCond %{HTTP_HOST} !^www\. [NC]
    RewriteRule ^ http%1://www.%{HTTP_HOST}%{REQUEST_URI} [E=HTTPS,R=301,L]
    
    # Force SSL:
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
    
    # Security header Enable HSTS
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" env=HTTPS
     
  13. John Napoletano

    Joined:
    Mar 17, 2016
    Messages:
    15
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Twitter:
    Not correct. You changed the order of the rules. Here is my code copy from above in the chain:

    Code:
    # Redirect to https
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
    
    # Redirect to www
    RewriteCond %{HTTP_HOST} ^yourdomain\.com [NC]
    RewriteRule (.*) https://www.yourdomain.com/$1 [E=HTTPS,R=301,L]
    
    # Security header
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" env=HTTPS
    I would suggest that you hard code the domain name as I have shown in the example also.
     
    Nirjonadda likes this.
  14. Nirjonadda

    Nirjonadda Well-Known Member

    Joined:
    May 8, 2013
    Messages:
    557
    Likes Received:
    14
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    One more ask, How to work HSTS preload?
     
  15. John Napoletano

    Joined:
    Mar 17, 2016
    Messages:
    15
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Twitter:
    Please start a new thread if you want advice on preload. My advice is simply DO NOT PRELOAD.
    I am suggesting that you pass the test up to the point you only get the preload error.

    Also review your headers in your browser F12 dev tools.
     
  16. Nirjonadda

    Nirjonadda Well-Known Member

    Joined:
    May 8, 2013
    Messages:
    557
    Likes Received:
    14
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Thanks for your great support, Now all are working without any issue.

    Code:
    RewriteEngine On
    
    # Force SSL:
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
    
    # Force www:
    RewriteCond %{HTTP_HOST} !^www\.
    RewriteRule ^(.*)$ https://www.%{HTTP_HOST}%{REQUEST_URI} [E=HTTPS,R=301,L]
    
    # Security header Enable HSTS
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS
     
    John Napoletano likes this.
Loading...

Share This Page