6

I have an Ubuntu 14.04 server running Apache + PHP-FPM + FastCGI, serving user home pages. For security, I have enabled in Apache's configuration:

Header set X-Content-Type-Options: "nosniff"
Header set X-Frame-Options: "sameorigin"
Header set X-XSS-Protection: "1; mode=block"

AllowOverride FileInfo is set, so users can use Header directives in .htaccess files for more control, if they need it. However, it seems Apache doesn't honour that when using PHP with CGI (mod_headers not sending headers when file is PHP), and that, even with Header always, .htaccess Header commands are ignored for PHP files.

My next thought was letting the user modify their PHP code to use the PHP header function, so that they can set it to X, and I can use setifempty to apply this only if the user hasn't. After a bit of experimenting, I found that these entries work:

Header set X-Frame-Options: "sameorigin" env=!SCRIPT_NAME
Header always setifempty X-Frame-Options: "sameorigin" env=SCRIPT_NAME

Without the env tests, I found that the first command, even if it was setifempty, or merge, would add a header, so that you'd see two X-Frame-Options in the headers.

Now, is that the correct way of going about this? If the env=SCRIPT_NAME test sufficient, or is there a better test for determining whether the request will be handled by PHP-FPM/FastCGI or Apache itself?

Community
  • 1
muru
  • 589
  • 8
  • 26
  • Have you found a solution for this? I just ran into the same problem – Nico Haase Apr 05 '18 at 15:13
  • @NicoHaase I think those two `Header` lines worked well enough for me that I didn't investigate much more. – muru Apr 06 '18 at 01:20
  • 1
    Our problem is that, even though we use `setifempty`, all headers are sent twice - once from the configuration in `.htaccess` and once from using `headers` in PHP :( – Nico Haase Apr 06 '18 at 07:12

0 Answers0