Discover Top Posts Tagged with #httpheaders

HTTP headers are invisible to most people — but they can make or break technical SEO. 🧩🔧

In this guide we explain: ✅ the headers that matter for SEO (and why) ✅ caching, redirects, and status codes ✅ security headers (without the fluff) ✅ how to check headers quickly and fix common issues

👉 Full Article

Website Security: A Simplified Guide to Protect Your Online Home | Kreatif Ninja

Just like your home needs locks, your website needs protection too.🔒 Not sure where to start with website security? We've got you covered! Check out our simplified guide to securing your online home. 🌐🔐 #WebsiteSecurity #CyberSecurity

Introduction Just like you secure your home, your website – your online home – requires the same attention. So, how do you improve website security? It’s simpler than you might think. We can bolster our website’s safety with some quick adjustments, known as ‘HTTP headers.’ Imagine these as the instruction manual for your website, guiding its behavior when people visit. Let’s simplify these…

View On WordPress

#Cybersecurity #HTTPHeaders #OnlineSafety #UserSafety #WebDevelopment #WebsiteSecurity

Fetch API bug: can't GET or SET multiple Set-Cookie Headers

Fetch is a new native JavaScript API that provides an interface for fetching resources (including across the network): according to Google Developers Documentation, "Fetch makes it easier to make web requests and handle responses than with the older XMLHttpRequest", thus applying to be the spiritual successor of the XHR-based approach (widely used by JQuery and the likes). As a matter of fact, Fetch API has been designed to be very familiar to anyone who has used XMLHttpRequest, while providing a more powerful and flexible feature set. The new API provides a generic definition of Request and Response objects, as well as other interface involved with network requests: such approach allow them to be used wherever they are needed in the future, whether it’s for service workers, Cache API, and other similar things that handle or modify requests and responses, or any kind of use case that might require you to generate your responses programmatically. It also defines related concepts such as Cross-Origin Resource Sharing (CORS) and the HTTP Origin header semantics, supplanting their separate definitions elsewhere. I've personally used Fetch API in most of my latest JavaScript projects, such as CORSflare - a pure JS Proxy specifically designed to overcome CORS-related and SameOrigin-based issues: however, today I've stumbled upon a major bug that, for the first time, led me to doubt that such interface is mature enough for production usage. Read the full article

#Cookies #CORS #FetchAPI #HTTPHeaders #Javascript #Set-Cookie #StackOverflow #XMLHttpRequest

NGINX - Access-Control-Allow-Origin - CORS policy settings

Those who often read this blog already know that we're deeply in love with NGINX, a lightweight, high-performance and open-source web server and reverse proxy used by more than 358 million websites and over 66% of the world’s top 10,000 websites. And no, we're not taking money from them to say this, we just happen to like it a lot. Anyway, in this post I'll briefly share the CORS configuration I'm using for the web sites that need to perform Cross Request Resource Sharing activities of any kind - such as using web-fonts from a subdomain on a main domain, or something like that: location / { if ($request_method = 'OPTIONS') { add_header 'Access-Control-Allow-Origin' '*'; add_header 'Access-Control-Allow-Credentials' 'true'; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; add_header 'Access-Control-Max-Age' 1728000; add_header 'Content-Type' 'text/plain charset=UTF-8'; add_header 'Content-Length' 0; return 204; } if ($request_method = 'POST') { add_header 'Access-Control-Allow-Origin' '*'; add_header 'Access-Control-Allow-Credentials' 'true'; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; } if ($request_method = 'GET') { add_header 'Access-Control-Allow-Origin' '*'; add_header 'Access-Control-Allow-Credentials' 'true'; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; } } Since it's a pretty long piece of code, you might want to put this on a separate file (such as /etc/nginx/cors-settings.conf ) and then include it with the following one-liner: include /etc/nginx/cors-settings.conf; Pretty neat, isn't it? If you're looking for further info about how to set & configure other NGINX security headers, such as X-Frame-Options, HTTP Strict Transport Security (HSTS), X-XSS-Protection, X-Content-Type-Options, Content Security Policy and Referrer Policy, be sure to check our NGINX HTTP Security Headers guide. Read the full article

#CORS #HTTPHeaders #HTTPSecurityHeaders #Nginx

ERR_RESPONSE_HEADERS_MULTIPLE_CONTENT_DISPOSITION error in Chrome - How to fix

Today we were called to fix a strange issue that was happening to one of our colleagues when trying to download a PDF file from one of our Document Management Systems. The error was related to a single file and sounded like this: This page isn't working (the website) sent an invalid response. ERR_RESPONSE_HEADERS_MULTIPLE_CONTENT_DISPOSITION

That sounded quite strange, especially considering the fact that a lot of other files - same extension, same size and so on - was working fine. We found the solution rather quickly by finding this StackOverflow thread, which luckily enough pointed us to the right direction. The issue was related to a single "comma" in the filename as defined in the Content-Definition header, which was unescaped: Response = 'attachment; filename=file,name.pdf'; It's worth noting that, even if the mentioned SO topic was related to Django, it's definitely an universal issue: we were getting it with ASP.NET C# as well. Anyway, the proper solution was to escape the filename using double quotes, thus avoiding HTTP header mismatches: Response = 'attachment; filename="file,name.pdf"'; That's pretty much about it. I hope that this quick fix will help those who'll be stuck with this issue as well! Read the full article

#ASP.NET #Content-Disposition #Django #GoogleChrome #HTTPHeaders

ERR_RESPONSE_HEADERS_MULTIPLE_CONTENT_DISPOSITION error in Chrome - Come risolvere

Oggi ci è stato chiesto di risolvere uno strano problema HTTP riscontrato da un operatore di un nostro cliente al momento del download di un file PDF tramite uno dei Document Manager System da noi realizzati. Il browser, soltanto al tentativo di download di quel singolo file, rispondeva con il seguente messaggio di errore: This page isn't working (the website) sent an invalid response. ERR_RESPONSE_HEADERS_MULTIPLE_CONTENT_DISPOSITION

Si tratta di un errore HTTP che a prima vista può sembrare particolarmente strano, specie considerando che il problema si verifica soltanto su un singolo file, avente estensione, dimensioni e caratteristiche del tutto analoghe a quelle di tuti gli altri file che funzionavano correttamente (con l'eccezione di una, come vedremo tra poco). Abbiamo trovato la soluzione dopo pochi minuti grazie a questo thread sul portale StackOverflow , nel quale è descritta la causa del problema: la presenza di una "virgola" all'interno del nome file indicato all'interno dell'header HTTP Content-Definition, il quale veniva compilato dal codice di back-end nel seguente modo: Response = 'attachment; filename=file,name.pdf'; E' importante sottolineare che, benché il thread su SO sia relativo al framework Django, si tratta in realtà di un problema universale: nel nostro caso, ad esempio, si verificava su un applicativo realizzato in ASP.NET C#. Ad ogni buon conto, la soluzione è stata quella di aggiungere le doppie virgolette alla definizione del filename, così da evitare una valorizzazione errata di quell'header HTTP: Response = 'attachment; filename="file,name.pdf"'; Per il momento è tutto: ci auguriamo che questo fix possa essere di aiuto ad altri sviluppatori che si troveranno ad affrontare questa problematica. Read the full article

#ASP.NET #Content-Disposition #Django #GoogleChrome #HTTPHeaders

Expect-CT - A new HTTP Security Header to be aware of

I'm writing this post as a follow-up of this article about HTTP Security Headers that I wrote a year ago to introduce a new kid on the block: its name is Expect-CT and - if you never heard about it - it's definitely worth a 5-min read. In the first part of this post we'll mostly deal with the definition and learn the basics about the topic: then, we'll dig into the implementation part, explaining how to implement this new http security header on Apache, Nginx and IIS web servers.

Certificate Transparency

CT, as you might already know, is an acronym for Certificate Transparency, an open framework made by Google for monitoring and auditing the certificates issued by Certificate Authorities in near real-time. You can think of it as a open-data register that can (and most likely will) be used by all the CA to log all certificates they generate: by looking at that register, webmasters and site owners will be able to identify mis-issued certificates and protect their website - and their users - from forged certificates and/or rogue authorities. If you want to know more about the framework, you can visit the Certificate Transparency official Website, where you'll find a lot of useful resources and infographics - including this awesome explanatory video: https://www.facebook.com/atscaleevents/videos/1904853043121124/

The Expect-CT header

Now, let's see what does the Expect-CT header have to do with all that. Starting from July 2018 (Chrome 68), Google Chrome will not trust any SSL certificate that does not comply with the aforementioned Certificate Transparency Policy: that basically means that, if your certificate is not listed, your users and visitors will get the following security alert:

The Expect-CT header can be used to check that all your certificates have been properly listed: it can be implemented easily - very little configuration required - and can be added in two different operating modes: report-only (the default) and enforce. Here's the full set of available directives: enforce: the optional enforce directive controls whether the browser should enforce the policy or treat it as report-only mode. The directive has no value so you simply include it or not depending on whether or not you want the browser to enforce the policy or just report on it. max-age: the required max-age directive specifies the number of seconds that the browser should cache and apply the received policy for, whether enforced or report-only. report-uri: the absolute URL where the browser should send reports if it does not receive valid CT information.

Implementation examples

Here's a sample implementation of the report-only mode: By implementing this policy, whenever the browser doesn't find CT info regarding any certificate, it will send a report to the specified report-uri value (without terminating the connection): as we can see, we're using a max-age of 0 for this scenario - it's a report, therefore it makes little sense to cache it. And here's a sample implementation for the enforce mode: With the following policy, the browser will now enforce the policy and cache it for 300 seconds - 5 minutes. Apache Here's how you can implement the Expect-CT http security header on Apache: If you want to implement the other security headers on Apache, check out this post. Nginx Here's how you can implement the Expect-CT http security header on Nginx: If you want to implement the other security headers on Nginx, check out this post.

IIS

Here's how you can implement the Expect-CT http security header on Internet Information Services (IIS): If you want to implement the other security headers on IIS, check out this post.

Conclusions

That's about it: I sincerely hope that this post will help you to improve the security level of your web site(s)! Read the full article

#Apache #CertificateTransparency #Google #GoogleChrome #HTTPHeaders #HTTPSecurityHeaders #IIS #Nginx