Warning: Unnecessary HSTS header over HTTP

we would like to add the HSTS header to our page https://www.wipfelglueck.de
Our page is running on a shared server, so we don’t have access to the httpd.conf. We tried to enable this header via the .htaccess file like this:

<ifmodule mod_headers.c>
  DefaultLanguage de
  Header set X-XSS-Protection "1; mode=block"
  Header set X-Frame-Options "sameorigin"
  Header set X-Content-Type-Options "nosniff"
  
  Header set X-Permitted-Cross-Domain-Policies "none"
  
  Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
  
  Header set Referrer-Policy: no-referrer
  
  <FilesMatch ".(js|css|xml|gz)$"> 
    Header append Vary Accept-Encoding 
  </FilesMatch> 
   
  <filesMatch ".(ico|jpg|jpeg|png|gif|webp)$">
   Header set Cache-Control "max-age=2592000, public"
  </filesMatch>
  <filesMatch ".(css|js|json|html)$">
   Header set Cache-Control "max-age=604800, public"
  </filesMatch>
</IfModule>

When we check the page we receive the warning in subject with this text:
“The HTTP page at http://wipfelglueck.de sends an HSTS header. This has no effect over HTTP, and should be removed.”

I tried some ways to solve this, but was not successful so far. In the web I can’t find a solution, so I would be happy if you could give me a hint on this!

Thank you very much!!

How to perform a http post using c++ and json data

Obrigado por contribuir com o Stack Overflow em Português!

  • Certifique-se de responder à pergunta. Entre em detalhes sobre a sua solução e compartilhe o que você descobriu.

Mas evite

  • Pedir esclarecimentos ou detalhes sobre outras respostas.
  • Fazer afirmações baseadas apenas na sua opinião; aponte referências ou experiências anteriores.

Para aprender mais, veja nossas dicas sobre como escrever boas respostas.

lets encrypt – How do I renew LetsEncrypt certificates for a wildcard domain via HTTP challenge?

I have created and installed a cert for my wildcard domain *.example.com OK using a dns challenge. So far, so good.

Now I want to renew the cert using a cronjob. I will need to use the http challenge because I my DNS host has no API mechanism for me to automatically create the TXT record. What I don’t understand is how to tell certbot/letsencrypt where my http server is, given the domain is a wildcard that doesn’t point to the server where I’m running certbot.

HTTP issue

Hi,

I have vps with cpanel, use PHP-FPM. The website no sure with HTTPS. But when website serve with HTTP, the PHP-FPM will not respond. … | Read the rest of https://www.webhostingtalk.com/showthread.php?t=1826279&goto=newpost

Why doesn’t a simple Http request to display a remote web page violate the Same Origin Policy?

On a w3schools page, I found that HTTP requests work like this:

  • A client (a browser) sends an HTTP request to the web
  • A web server receives the request, and runs an application to process it
  • The server returns an HTTP response (output) to the browser
  • The client (the browser) receives the response.

On the same page I found that an XMLHttpRequest works like this:

  • A browser creates an XMLHttpRequest object and sends it to the server
  • The server processes the request, creates a response and sends data back to the browser
  • The browser processes the returned data using JavaScript and updates the page content.

The above two processes appear pretty much the same to me. However, the latter one violates the Same Origin Policy (SOP) if the server runs on a remote domain. This question on stackoverflow about the url in the open() method says that

As we can only send requests to our own web server, I assume that we don’t have to rewrite the website’s name in the URL.

Applying the same logic to the first case (Http requests) would mean that I couldn’t open a web page if it is not on my own computer. Luckily, this is not the case.

So, why doesn’t an Http request to display a remote web page violate the SOP? What is the key point/difference here?

I assume it’s about the fact that the second process (XMLHttpRequest) is initiated from a script, while the first one is triggered by the user. However, isn’t the Http request sent from a script when I click a hyperlink on a web page? And how can a web server distinguish between requests coming from a script and coming from a user?

redirect – I am receiving a pluggable.php warning sign on my only http:// page

The headers already sent message means that something — a plugin or a theme, usually — is sending output before it’s meant to. Often this is due to whitespace appearing in a file after the closing ?> tag, which can make it hard to find the culprit.

The fact that pluggable.php is the apparent culprit tells me that it’s most likely a plugin that’s replacing some of WordPress’s pluggable functionality. Often this is related to user management, though there are other pluggable functions.

The usual advice in this situation is to turn off all your plugins and switch to a default theme. If the problem goes away, then the culprit is a plugin or the theme you were using. Turn them back on one by one until the problem recurs. Now you’ve found the culprit. You will then know who you need to reach out to for support.

Pluggable Functions — it’s possible, too, that there’s a plugin attempting to do HTTP->HTTPS redirection, and that might be causing you grief.

Why not just use a domain property instead of prefix properties for https, http and www in Google Search Console?

I just added my website to Google Search Console as the domain validated property example.com. Now when I try to link it with Google Analytics (GA), it says no property is added to the console.

Perhaps Google Analytics is right because I have not added any prefix property. It was just a domain name (example.com). To link my GA with GSC I have also added these prefix properties:

  • https://example.com
  • http://example.com
  • http://www.example.com
  • https://www.example.com

(all of these 4 properties redirect to my domain example.com. Why?)

I’m not able to add www.example.com as a domain property in GSC because it does not allow it

Now, after adding all 4 properties of my domain GA shows these properties when I try to link GSC with GA.

So, which property I should choose to link with GA (e.g., HTTP, HTTPS) because if I choose https://example.com as I did for my website, What about other properties. Will GA show me the data about other properties all of which land on example.com (domain).

Why add so many properties to GSC when they all land on the domain (example.com)?
Do I need to add a separate zone record (c-panel) for verification?

Why did I add so many properties when example.com (domain) seems like it should be more than enough?

Why not just example.com [domain name], besides https, http and www [protocols] in google console?

I want to ask few questions related to the Google Search Console (GSC) and Google Analytics (GA).

I just added my website to google console as example.com.

Now when I try to link my google console with Google Analytics (GA). It says no property is added to the console. Perhaps google analytic is right because I have not added any property in fact it was my domain name (example.com). To link my GA with GSC I have added these properties:

https://example.com

http://example.com

http://www.example.com

https://www.example.com

(all of these 4 properties redirect to my domain example.com. Why?)

Not able to add wwww.example.com in GSC as property because it does not allow.

Now, after adding all 4 properties of my domain GA shows these properties when I try to link GSC with GA.

So, which property I should choose to link with GA (e.g., HTTP, https) because if I choose https://example.com as I did for my website, What about other properties. Will GA show me the data about other properties all of which land on example.com (domain).

Why add so many properties to GSC when they all land on the domain (example.com)?
Do I need to add a separate zone record (c-panel) for verification?

In simple words, why to add so many properties when example.com (domain) is more than enough.

Thanks.
Best regards,

tls – Server to Server HTTP Authentication

I’m designing an API, and had some quick questions about HTTP authentication and security.

The API will involve two web servers, one of which I am the developer of (let’s call it Server 1). The server that I am interested to retrieve data from, unfortunately, is one I do not have control over (Server 2).

In order to retrieve data from Server 2, a ‘user’ needs to log in first. This is performed with basic HTTP authentication.

My question is: Are there any serious security vulnerabilities present if I send a username and password (contained in JSON) in the body of a POST request from Server 1 to Server 2 in order to log a ‘user’ in and create a session? The username and password would be safely contained in config variables until they are sent in the POST request. Both servers use SSL, so the messages should be encrypted.

As I do not have control over Server 2, this is the only way I can think of to create this API, without requesting development on Server 2.

I would think this is basically the same as using a regular HTML form to log in to a service using username/password, but I wanted to get confirmation from the community.

Thank you very much.

angular – Hacer peticiones http get aninadas en Javascript

me ha tocado hacer una funcionalidad en javascript del cual no tengo mucha experiencia. El problema es el siguiente:
tengo que hacer una petición que me devuelve una lista de diccionarios con unos userId que representan a una persona además de otros datos. A continuación necesito hacer otra llamada get para conseguir el username de ese identificador y guardarlo en ese primer array de diccionarios para representarlo en el front. Como es posible que en el primer array, varias posiciones tengan el mismo userId me gustaría ahorrar en llamadas guardando esta información en alguna variable pero tengo problemas para acceder a algunas variables del codigo y con la sincronía.
El código es el siguiente:

messages;
ngOnInit(): void {
    this.authString = localStorage.getItem('authString');

    this.http.get(environment.apiUrl + '/api/message/', {
      headers: new HttpHeaders({
        "Authorization": "Basic " + this.authString
      })
    }).subscribe(response => {
      this.messages = response;

      let id_names = ()
      for (let i in response) {
        if (!id_names.find(id_names => id_names.id === response(i)("id"))) { //si no lo tenemos ya
          let user_res = this.http.get(environment.apiUrl + '/api/users/' + response(i)("userId"), {
            headers: new HttpHeaders({
              "Authorization": "Basic " + this.authString
            })
          }).subscribe(res => {
        
            this.messages(i)("username")=res("username")
            id_names.push({id:response(i)("id"), username:res("username")})
            console.log(id_names)
          });   
        }
        else { // si lo tenemos en id_names
          //No llega nunca a esta parte
        }
      };

    })
  };

El problema es que se ejecuta primero varias veces el primer get y luego el segundo por lo que no se evalúa la condición del if con id_names relleno.
Además las variables mueren fuera de los subscribes y no se cómo sacarlas.
¿Alguna forma diferente de hacer el http.get? ¿Alguna forma de acceder a las variables desde fuera?

Gracias.