so i am trying to fix my headers.
By checking the network requests when i hit my page i see two errors.
1) X-FRAME-OPTIONS : SAMEORIGIN (is shown twice)
Cache-Control:no-cache
Connection:Keep-Alive
Content-Encoding:gzip
Content-Type:text/html; charset=UTF-8
Date:Wed, 04 Oct 2017 12:58:30 GMT
Keep-Alive:timeout=3, max=1000
Server:Apache
Set-Cookie:laravel_session=eifQ%3D%3D; expires=Wed, 04-Oct-2017 14:58:30 GMT; Max-Age=7200; path=/; secure; httponly
Set-Cookie:XSRF-TOKEN=n0%3D; expires=Wed, 04-Oct-2017 14:58:30 GMT; Max-Age=7200; path=/
Transfer-Encoding:chunked
X-CDN:Incapsula
X-Frame-Options:SAMEORIGIN * <-------------- HERE
X-Frame-Options:SAMEORIGIN * <-------------- HERE
X-Iinfo:7-6626704-6651371 NNNN CT(0 0 0) RT(1507121414380 495318) q(0 1 1 -1) r(2 2) U16
X-XSS-Protection:%E2%80%9C1;mode=block%E2%80%9D < -------- Strange Encoding here...
2) About X-XSS-PROTECTION : I can see the below error on console
Error parsing header X-XSS-Protection: â1;mode=blockâ: expected 0 or 1 at character position 0. The default protections will be applied.
I am using laravel 5.0. I am checking FrameGuard.php which is a by default inactive middleware since laravel 4.2 and you have the option to enable it. By having it disabled i have the above errors and i really can't understand why. So my first though was to overwrite those headers by actually using that middleware.
When i am using the middleware Illuminate\Http\Middleware\FrameGuard.php with the below code nothing seems to change :
public function handle($request, Closure $next)
{
$response = $next($request);
$response->headers->set('X-XSS-Protection', '1; mode=block');
$response->headers->set('Content-Type','text/html; charset=UTF-8');
$response->headers->set('X-Frame-Options', 'SAMEORIGIN', true);
return $response;
}
I also use Socialite which has facebook auth. Is there a chance that it modifies any headers? Any ideas? If you need more information please ask and i will provide.
via Chebli Mohamed
Aucun commentaire:
Enregistrer un commentaire