All Questions
Tagged with http-headers security
18 questions
0
votes
0
answers
1k
views
Content-Security-Policy frame-ancestors not working
I'm running an OpenLiteSpeed server and would like to only allow webpages that start with a specific url on my site (e.g. https://example.com/video/**) to be iframed by others. (I want to allow anyone ...
- 101
2
votes
1
answer
345
views
is "access-control-allow-origin" a secure way to restrict communication between two servers?
I have two servers, A and B. I want server B to only accept HTTP requests from server A.
is "access-control-allow-origin" a secure way to implement that?
- 131
3
votes
2
answers
5k
views
How reliable is the "host" in an incoming HTTPS request?
I'm trying to understand what level of confidence I can have when my API which lives at api.foo.com receives a POST request from a page that has foo.com specified as its host value in the header.
...
- 151
0
votes
0
answers
230
views
Are requests with no headers a sign of hacking?
I run a NodeJS web application with packages up to date and secured with a strong password and RSA for ssh.
The application runs on two domains. I check the request headers to get the domain and found ...
- 289
4
votes
0
answers
3k
views
List of all Permissions-Policy header keys and values?
Does someone have a list of all Permissions-Policy header keys and values?
What I have:
more_set_headers "Permissions-Policy: camera=(self), fullscreen=(*), geolocation=(self), payment=()";
...
- 624
3
votes
0
answers
10k
views
How to configure Content-Security-Policy for Nginx and Drupal 8?
I have a Nginx server with Ubuntu 18.04 and a Drupal 8 site.
I have read on several articles that should not use 'unsafe-eval', 'unsafe-inline'
I added headers for security but the pages of the site ...
- 31
9
votes
2
answers
25k
views
How can I add in Apache Feature Policy Header?
I have a multimedia site which offers users to upload their own media (video,music) or embed media from sites like YouTube, Vimeo etc.
Recently, new header is being announced. I tried to add this ...
- 229
0
votes
1
answer
2k
views
Pros/Cons to disabling HEAD requests with Nginx?
I have a static blog/site and I'm wondering if there are any negative implications of disallowing/disabling HEAD requests within my Nginx conf? For example: would it break the site with certain web ...
1
vote
1
answer
1k
views
How to deny requests that contains a certain header and not coming from whitelisted IPs in nginx?
I would like to double protect an application that uses a custom header to authorize some critical views. Since those calls should only originate from some well-known IPs, I would like to block ...
- 288
3
votes
1
answer
3k
views
Is setting a Content Security Policy incompatible with Joomla's admin page?
I'd like to set a content security policy header for a Joomla website running on Apache 2.4.
Using this configuration from h5bp and setting Header set Content-Security-Policy "script-src 'self'; ...
- 301
0
votes
1
answer
814
views
Sending two Content-Security-Policy headers
I current have an nginx server that is sending the Content-Security-Policy header, however I've read that apparently IE only supports "X-Content-Security-Policy".
Would it be a good idea to send both ...
- 435
2
votes
1
answer
3k
views
IIS7 Response header exposes server information when post request is incomplete
IIS reveals "Server: Microsoft-HTTPAPI/2.0" in the response header when a invalid Post request is made. e.g. content-length is not included in the header. The Response returned also says HTTP/1.1 411 ...
- 51
9
votes
3
answers
37k
views
Set Access-Control-Allow-Origin in nginx using wildcard domain
With nginx can I specify Access-Control-Allow-Origin using a wildcard like *.mydomain.com?
Would it look like:
add_header Access-Control-Allow-Origin *.mydomain.com;
Thanks.
- 5,588
22
votes
1
answer
15k
views
What's the use of X-Powered-By, Server and other similar HTTP headers?
What's the use of Server, X-Powered-By and other similar headers? Looks like the consensus is they should be removed so that automatic vulnerability scanners doen't immediately know which version of ...
- 2,739
4
votes
1
answer
3k
views
Hide/Replace Nginx Location Header?
I am trying to pass a PCI compliance test, and I'm getting a single "high risk vulnerability".
The problem is described as:
Information on the machine which a web server is located is sometimes ...
- 151
4
votes
1
answer
2k
views
Applying header range fix to apache 2.0.59 issue CVE-2011-3192
I've been trying to apply the suggested fix to apache for CVE-2011-3192 which was to add to httpd.conf
# Drop the Range header when more than 5 ranges.
# CVE-2011-3192
SetEnvIf Range (,.*?){5,} bad-...
- 43
4
votes
1
answer
8k
views
Apache - disable range requests - disadvantages?
As there is a working exploit against Apache's byte range implementation (CVE-2011-3192, see here), I'd like to disable it until official patches are shipped with my distros (Debian, Ubuntu). The ...
- 301
1
vote
2
answers
4k
views
Why would PROPFIND and DAV appear in response headers when WebDAV is disabled?
I've got a bit of a challenge I'm hoping someone has some ideas on. I'm in the process of deploying a web app to a shared environment with a host running IIS7.5. A security scan has shown that WebDAV ...
- 193