Using nginx, I have an html file served at sub.example.com which needs to get its json data from example.com
But the json is not loaded. Instead, in Chrome browser I get:
The 'Access-Control-Allow-Origin' header has a value 'https://example.com' that is not equal to the supplied origin. Origin 'http://sub.example.com' is therefore not allowed access.
How can I fix this?
You need to set CORS headers on your example.com server to allow the domain sub.example.com to use this resource, for example:
Access-Control-Allow-Origin
add_header Access-Control-Allow-Origin "https://sub.example.com" always;
add_header Access-Control-Allow-Headers "Origin, Content-Type, Accept" always;
add_header Access-Control-Allow-Methods "GET, POST, PUT, OPTIONS, DELETE" always;
OR
add_header Access-Control-Allow-Origin "https://*.example.com" always;
add_header Access-Control-Allow-Headers "Origin, Content-Type, Accept" always;
add_header Access-Control-Allow-Methods "GET, POST, PUT, OPTIONS, DELETE" always;
You need to set it in a server that handles the Json. You can allow * in CORS, but it isn't recommended.
Related
I added the following header in Nginx conf
add_header X-Frame-Options “SAMEORIGIN” and then it's working fine.
Then I added another header like this
add_header X-Frame-Options “SAMEORIGIN”
add_header X-XSS-Protection "1; mode=block";
But the X-XSS-Protection is not getting reflected in the Response Headers, only X-Frame-Options is getting added.
Then I removed the X-Frame-Options from the Nginx conf file, then also it is showing the X-Frame-Options in the Response Headers but not the other one.
I am not sure if Nginx cached the previous conf file or it is happening due to some other configurations.
I set add_header X-Frame-Options deny always;.
Now i want to change it to SAMEORIGIN. To do that i changed the in /etc/niginx/sites-available/my_domain
#add_header X-Frame-Options deny always;
add_header X-Frame-Options sameorigin always;
But header part it still showing X-Frame-Options DENY
Here is the Screen shot:
How can i change this?
Try:
add_header X-Frame-Options "SAMEORIGIN";
and restart Nginx. I tested "add_header X-Frame-Options SAMEORIGIN always;" and Nginx error log reports:
invalid number of arguments in "add_header" directive in ...
I have added add_header 'Access-Control-Expose-Headers' '*'; in my Nginx server. But still not able to get any response headers.
Somewhere in your server or location block. Please note that * will not be acceptable here. You have to explicitly expose each custom header.
add_header 'Access-Control-Expose-Headers' 'Authorization,X-Custom-Header';
What was (could be) the rationale behind Nginx's decision to only inherit add_header statements from the lowest level that has any?
For instance:
server {
server_name example.com;
root my/root;
listen 443 ssl;
ssl_certificate my.cert;
ssl_certificate_key my.key;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload" always;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header Content-Security-Policy: default-src 'self' https:;
location ~* \.(gif|jpeg|jpg|png|css|js|ico|txt)$ {
add_header Cache-Control "public, max-age=86400";
}
}
None of those security-related headers are added to the assets which match the location block, dedicated to increasing cache time, just because it adds another header.
The fix would be to duplicate all add_header directives into the block which seems counter intuitive to how the rest of Nginx works, e.g. the root directive.
The behaviour is documented here:
There could be several add_header directives. These directives are inherited from the previous level if and only if there are no add_header directives defined on the current level.
http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header
I guess there is a good explanation and I'm curious about what it is.
I run page speed and I am getting:
"Leverage browser caching"
I have added the following directive in to my nginx.conf
location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
expires 30d;
add_header Pragma public;
add_header Cache-Control "public";
}
but I am still getting the same message from google.