You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Gradus Kooistra <gr...@gemeenteoplossingen.nl> on 2018/05/09 07:18:02 UTC

[users@httpd] Missing headers on 403 pages

Dear Sir/Madam,

We setup apache to set headers, like the X-Frame-Options.
But this doesn’t work for the 403 pages, only the Strict-Transport-Security works. On non-error pages, the headers are showing correctly in the browser/security scans

The headers are set to the virtual hosts and later also to the global apache configuration, without any luck.

The problem is that some security scans show warnings to the customers and the think the sites are unsafe.

Is it possible to set the headers, so 403 pages are also delivering this to the browsers?

Met vriendelijke groet, 
G. Kooistra 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Missing headers on 403 pages

Posted by Luca Toscano <to...@gmail.com>.

Hi Gradus,

2018-05-09 9:18 GMT+02:00 Gradus Kooistra <gr...@gemeenteoplossingen.nl>:

> Dear Sir/Madam,
>
> We setup apache to set headers, like the X-Frame-Options.
> But this doesn’t work for the 403 pages, only the
> Strict-Transport-Security works. On non-error pages, the headers are
> showing correctly in the browser/security scans
>
> The headers are set to the virtual hosts and later also to the global
> apache configuration, without any luck.
>
> The problem is that some security scans show warnings to the customers and
> the think the sites are unsafe.
>
> Is it possible to set the headers, so 403 pages are also delivering this
> to the browsers?
>
>
Have you tried the Header set always option? Ref:
https://httpd.apache.org/docs/current/mod/mod_headers.html#header

Hope that helps,

Luca