Facebook
Twitterlukebrenner
New Pleskian
Hi there,
I have a website which uses user authentication. UNLESS I put the following directive in my .htaccess file in root, the user is NOT logged out.
ExpiresActive On
ExpiresDefault "access plus 1 second"
I guess this is not normal, somehow my server is not set up properly by default.
Here's the configuration:
VPS hosted at hosteurope.de
Plesk Onyx 17.0.17 with update #21 (upgraded from 12.5 but it behaved like that too in 12.5)
CentOS Linux 7.3.1611 (Core)
PHP 7.0.17 with default values ( except Short Open Tag ON )
I have the following HTTPS additional directives in my apache:
Header unset ETag
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'"
Header always set X-Xss-Protection "1; mode=block"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy: origin-when-cross-origin
Header set X-WebKit-CSP: "default-src 'self'"
Header set X-Permitted-Cross-Domain-Policies: "master-only"
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
and the following for HTTP :
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R,QSA]
</IfModule>
Web application firewall is enabled, with the default Atomic Basic Mod security rule set enabled.
Any help is appreciated.
Thank you.
I have a website which uses user authentication. UNLESS I put the following directive in my .htaccess file in root, the user is NOT logged out.
ExpiresActive On
ExpiresDefault "access plus 1 second"
I guess this is not normal, somehow my server is not set up properly by default.
Here's the configuration:
VPS hosted at hosteurope.de
Plesk Onyx 17.0.17 with update #21 (upgraded from 12.5 but it behaved like that too in 12.5)
CentOS Linux 7.3.1611 (Core)
PHP 7.0.17 with default values ( except Short Open Tag ON )
I have the following HTTPS additional directives in my apache:
Header unset ETag
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'"
Header always set X-Xss-Protection "1; mode=block"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy: origin-when-cross-origin
Header set X-WebKit-CSP: "default-src 'self'"
Header set X-Permitted-Cross-Domain-Policies: "master-only"
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
and the following for HTTP :
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R,QSA]
</IfModule>
Web application firewall is enabled, with the default Atomic Basic Mod security rule set enabled.
Any help is appreciated.
Thank you.
Last edited:
