We continue the process (very tedious) of knocking down so-call vulnerabilities that are flagged by our PCI compliance auditing company.
On some sites we have set Basic Authentication to allow users access to file lists. This is a “failure” from the PCI audit point of view because the user name and password is sent as clear text.
Description: Web Server Uses Basic Authentication Without HTTPS
Synopsis: The remote web server seems to transmit credentials in clear text
How do we force this form of access to run over SSL?
Depending on how your HTTP Auth is setup – you may be able to use a .htaccess file to redirect users to an HTTPS URL.
You could do that with the following:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
Or, if your HTTP Auth isn’t being setup with a .htaccess, but is being setup within Apache – it’s possible you would need to add the above lines into the VirtualHost block for this domain in the Apache config.
These are the webalizer /public_html/stats/ directories that are getting pegged as insecure. Yes they are set view .htaccess.
AuthName “MyDomain.com statistics”
AuthType Basic
AuthUserFile /home/mydomain/.stats-htpasswd
require valid-user
<Files .htpasswd>
deny from all
------ but adding your suggested mod_rewrite lines doesn’t help. whether I put them at the beginning or end of the .htaccess file, the initial handshake with basic auth dialog for user/password is still running under http (no SSL)
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
AuthName “minimela.com statistics”
AuthType Basic
AuthUserFile /home/minimela/.stats-htpasswd
require valid-user
<Files .htpasswd>
deny from all