Security headers settings via htaccess.conf

Keywords: WordPress - AWS - Technical issue - Other
Description:
I need to modify and remove response headers, i’ve achieved most of it via
editing,

/home/bitnami/apps/wordpress/conf/htaccess.conf

But for two headers I am unable change or remove them.

  • Cache-Control, always has two sets of conflicting entries
  • Server header is always ‘Apache’ but needs to be removed.

Any advice?

Thanks in advance

My current htaccess.conf file looks like this.


<Directory "/opt/bitnami/apps/wordpress/htdocs/">
# Only allow direct access to specific Web-available files.

<IfModule mod_headers.c>
        Header set Content-Security-Policy "< a long string that works :-) >"

        Header set X-XSS-Protection: "1; mode=block"
        Header set X-Content-Type-Options: "nosniff"
        Header always  set X-Frame-Options: "SAMEORIGIN"
        header always unset Cache-COntrol
        Header always set Cache-Control: "public, max-age=300"
        Header always set Referrer-Policy no-referrer-when-downgrade
        Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
        Header always unset X-Powered-By
        Header always unset Server
</IfModule>
</Directory>


<Directory "/opt/bitnami/apps/wordpress/htdocs/wp-content/plugins/akismet">
# Apache 2.2
<IfModule !mod_authz_core.c>
        Order Deny,Allow
        Deny from all
</IfModule>

# Apache 2.4
<IfModule mod_authz_core.c>
        Require all denied
</IfModule>


<IfModule mod_headers.c>
 Header unset Vary
</IfModule>


# Akismet CSS and JS
<FilesMatch "^(form\.js|akismet\.js|akismet\.css)$">
        <IfModule !mod_authz_core.c>
                Allow from all
        </IfModule>

        <IfModule mod_authz_core.c>
                Require all granted
        </IfModule>
</FilesMatch>

# Akismet images
<FilesMatch "^logo-full-2x\.png$">
        <IfModule !mod_authz_core.c>
                Allow from all
        </IfModule>

        <IfModule mod_authz_core.c>
                Require all granted
        </IfModule>
</FilesMatch>
</Directory>

And the headers,

HTTP/1.1 200 OK
Date: Mon, 21 Jun 2021 16:11:59 GMT
Server: Apache
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Link: <https://www.cirrus-connect.com/wp-json/>; rel="https://api.w.org/", <https://www.cirrus-connect.com/wp-json/wp/v2/pages/49>; rel="alternate"; type="application/json", <https://www.cirrus-connect.com/>; rel=shortlink
X-Frame-Options: SAMEORIGIN
Cache-Control: public, max-age=300
Referrer-Policy: no-referrer-when-downgrade
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Mod-Pagespeed: 1.13.35.2-0
Vary: Accept-Encoding
Content-Encoding: br
Content-Security-Policy: < removed for brevity sake >;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Cache-Control: max-age=0, no-cache, s-maxage=10
Content-Length: 21373
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

Hello @david.clare,

I can see a typo in your code:

  Header always unset Cache-COntrol

vs

  Header always unset Cache-Control 

in a clean installation, I was able to set it in /opt/bitnami/apache2/conf/httpd.conf file.

About Server header, I think this case may help:
https://stackoverflow.com/questions/35360516/cant-remove-server-apache-header/35363645

If you continue facing issues, we have a Support Tool that will gather relevant information for us to analyze your configuration and logs. Could you please execute it on the machine where the stack is running by following the steps described in the guide below?

Please note that you need to paste the code ID that is shown at the end.

Hi @davidg,
Thank you for that, I updated the header but still no success.

Where in /opt/bitnami/apache2/conf/httpd.conf do you add that Cache-Control?

The Server header- I’m just going to argue that the value ‘Apache’ is not a big deal

The Bitnami Support Tool - times out/quits with

/unable to realloc 119104288 bytes

Many thanks

Hello @david.clare,

I used this section

<IfModule headers_module>
    <IfVersion >= 2.4.7 >
        Header always setifempty X-Frame-Options SAMEORIGIN
        Header always set Cache-Control: "public, max-age=300"
    </IfVersion>
    <IfVersion < 2.4.7 >
        Header always merge X-Frame-Options SAMEORIGIN
    </IfVersion>
    RequestHeader unset Proxy
</IfModule>

You could try to stop the services before executing the support tool:

sudo /opt/bitnami/ctlscript.sh stop

Regards

Hi @davidg,
Thanks, those two suggestions I already tried :frowning:

What solved the problem for me was complain loudly to the team running the testing - now the requirement to hide Server name without version and only one key/value pair for Cache-Control has been dropped.

To be honest the WP site was a mess before i moved it to an EC2 / Bitnami instance. It is a lesson for the marketing team to update their site and audit the plugins (over 30!!!) more than once every 6 years.

Thanks again

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.