How to implement Security Headers for Apache Web Server (htaccess) Website

Sitebee

Technical SEO
Staff member
Have you been reading into HTTP website security headers and looking to implement the security header for your website? HTTP security headers are a fundamental part of website security.

HTTP Security Response Headers


HTTP Security Response Headers allow a server to push additional security information to web browsers and govern how the web browsers and visitors are able to interact with your web application. HTTP security headers provide another layer of security by helping to mitigate attacks and security vulnerabilities and they are easier than you may think to implement

I shall be showing you a quick and easy method to add HTTP security headers via your HTACCESS file. This method is very easy and should only take a couple of minutes to implement and test. I have added HTTP security headers on WordPress, Magento, Joomla, Drupal and PHP frameworks.

Add the following HTTP security headers to your HTACCESS file


Code:
# Strict-Transport-Security
Header set Strict-Transport-Security “max-age=31536000” env=HTTPS
# X-Content-Type-Options
Header set X-Content-Type-Options “nosniff”
# X-XSS-Protection
Header set X-XSS-Protection “1; mode=block”
# Referrer-Policy
Header set Referrer-Policy “same-origin”
# Feature-Policy
Header set Feature-Policy “geolocation ‘self’; vibrate ‘none”
# X-Frame-Options
Header always append X-Frame-Options SAMEORIGIN

Individually, they are:

Strict-Transport-Security


Code:
# Strict-Transport-Security
Header set Strict-Transport-Security “max-age=31536000” env=HTTPS

X-Content-Type-Options


Code:
# X-Content-Type-Options
Header set X-Content-Type-Options “nosniff”

X-XSS-Protection


Code:
# X-XSS-Protection
Header set X-XSS-Protection “1; mode=block”

Referrer-Policy


Code:
# Referrer-Policy
Header set Referrer-Policy “same-origin”

Feature-Policy


Code:
# Feature-Policy
Header set Feature-Policy “geolocation ‘self’; vibrate ‘none”

X-Frame-Options


Code:
# X-Frame-Options
Header always append X-Frame-Options SAMEORIGIN




Google recommends these Security headers for all websites:


  • X-Content-Type-Options
  • X-Frame-Options
  • Cross-Origin Resource Policy (CORP)
  • Cross-Origin Opener Policy (COOP)
  • HTTP Strict Transport Security (HSTS)

Strict-Transport-SecurityHTTP Strict Transport Security is an excellent feature to support on your site and strengthens your implementation of TLS by getting the User-Agent to enforce the use of HTTPS. Recommended value “Strict-Transport-Security: max-age=31536000; includeSubDomains”.
Content-Security-PolicyContent Security Policy is an effective measure to protect your site from XSS attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets.
X-Frame-OptionsX-Frame-Options tells the browser whether you want to allow your site to be framed or not. By preventing a browser from framing your site you can defend against attacks like clickjacking. Recommended value “X-Frame-Options: SAMEORIGIN”.
X-Content-Type-OptionsX-Content-Type-Options stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. The only valid value for this header is “X-Content-Type-Options: nosniff”.
Referrer-PolicyReferrer Policy is a new header that allows a site to control how much information the browser includes navigations away from a document and should be set by all sites.
Feature-PolicyFeature Policy is a new header that allows a site to control which features and APIs can be used in the browser.


Firstly, we need to know what security headers we need to implement. For this, we are going to run an HTTP security header scan over at https://securityheaders.com

I’m running this test here on my WordPress website ‘Sitebee’ as I know it was on my to-do list and thought it would be an excellent resource for an article. I have tested HTTP security headers on WordPress, Magento, Joomla, Drupal and PHP frameworks.

Here is the security header benchmark before implementing the HTTP security headers


sitebee-f.png


Now here are the same benchmarks after implementation of the HTTP security headers.
sitebee-a.png
 

Attachments

  • sitebee-f.png
    sitebee-f.png
    17.5 KB · Views: 107
Last edited: