ramazancetinkaya / security-headers

Security Headers Documentation

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

security-headers

Security Headers Documentation

Overview

Adding security headers to your .htaccess file can help to secure your website and its data. This article explains how to add the following security headers.

  • Content-Security-Policy
  • Strict-Transport-Security (HSTS)
  • X-Frame-Options
  • Cross-site Scripting protection (XSS)
  • X-Content-Type-Options
  • Referrer Policy
  • Feature-Policy
  • CORS headers

Adding an .htaccess file on your web server

The examples in this article assume your site is on an Apache server and you are adding headers to your site's .htaccess file. View the following article for an overview of what an .htaccess file is and how to add one to your site.

1) Content-Security-Policy

The Content-Security-Policy header specifies approved sources of content that the browser may load from your website. When you whitelist approved content sources, you thereby help to prevent malicious code from loading on your site. This is a way to help reduce XSS risks.

View the following page for further details:

This example allows any asset to be loaded only from your website.

Header set Content-Security-Policy "default-src 'self'"

This example allows any asset to be loaded from your domain over HTTPS on port 443 only.

Header set Content-Security-Policy "default-src https://example.com:443"

You can then test if it's active by running the following curl command via SSH:

curl -I https://example.com

If you see the following expression, it means you have been successful.

Content-Security-Policy: default-src https://example.com:443

Resolving insecure site and mixed-content warnings

If your website has any assets that load over http, your site will display an SSL warning in the URL bar of your browser to notify the visitor that the connection is not safe.

The following code upgrades all requests to insecure resources automatically. This fixes the SSL warning in your browser.

Header always set Content-Security-Policy "upgrade-insecure-requests;"

2) Strict-Transport-Security (HSTS)

Strict-Transport-Security headers tell the browser to ONLY interact with the site using HTTPS and never HTTP. View the following pages for further details.

You can enable this in your .htaccess file with the following code:

Header set Strict-Transport-Security "max-age=31536000;includeSubDomains;"

You can then test if it's active by running the following curl command via SSH:

curl -I https://example.com

If you see the following expression, it means you have been successful.

Strict-Transport-Security: max-age=31536000;includeSubDomains;

3) X-Frame-Options

This header helps to protect your visitors against clickjacking attacks. Add this header on pages that should not be allowed to render a page within a frame. View the following links for further information:

This example completely disables the ability to load any page in a frame.

Header always set X-Frame-Options DENY

This example only allows your website to embed an iframe on your pages.

Header always set X-Frame-Options SAMEORIGIN

You can then test if it's active by running the following curl command via SSH:

curl -I https://example.com

If you see the following expression, it means you have been successful.

X-Frame-Options: SAMEORIGIN

4) Cross-site Scripting protection (XSS)

The X-XSS-Protection header helps to protect your visitors against Cross-site Scripting attacks. View the following article for further details:

In this example, the value 1 is used. This enables XSS filtering (usually default in browsers). If a cross-site scripting attack is detected, the browser will sanitize the page (remove the unsafe parts).

Header set X-XSS-Protection "1"

In this example, the value 1; mode=block is used. Rather than sanitizing the page, the browser will prevent rendering of the page if an attack is detected.

Header set X-XSS-Protection "1; mode=block"

You can then test if it's active by running the following curl command via SSH:

curl -I https://example.com

If you see the following expression, it means you have been successful.

X-XSS-Protection: 1; mode=block

5) X-Content-Type-Options

This header blocks content sniffing that could transform non-executable MIME types into executable MIME types. View the following article for further details:

Header set X-Content-Type-Options nosniff

You can then test if it's active by running the following curl command via SSH:

curl -I https://example.com

If you see the following expression, it means you have been successful.

X-Content-Type-Options: nosniff

6) Referrer-Policy

This header controls how much referrer information from your site is sent to another server. For example, if a link on your site opens a different website, that website's server records your domain name as the referrer of that link. With this policy, you can control what referrer information is sent to that external server. View the following link for further details.

This example does not send any referrer information.

Header set Referrer-Policy: no-referrer

You can then test if it's active by running the following curl command via SSH:

curl -I https://example.com

If you see the following expression, it means you have been successful.

Referrer-Policy: no-referrer

7) Feature-Policy

The Feature-Policy header controls which browser features are allowed on your website. This policy allows the website owner/developer to restrict specific APIs the site can access in the browser. Here are a few examples:

  • Change the default autoplay behavior on videos.
  • Restrict the site from using a camera or microphone.
  • Disable the Geolocation API.

This is important if the site allows third-party content as it helps to control what those third-party apps may attempt to do with the user's browser when someone visits your website. View the following links for further information.

This example blocks the Geolocation API in the browser from functioning on your site.

Header set Feature-Policy: "geolocation none"

You can then test if it's active by running the following curl command via SSH:

curl -I https://example.com

If you see the following expression, it means you have been successful.

Feature-Policy: geolocation none

8) CORS Headers

View the following links for further information.

About

Security Headers Documentation