Menu
Nadzweb.com
Nadzweb.com

Security response headers implementation in Apache

Posted on August 1, 2013August 1, 2013 by admin

There are many ways to secure a website against malicious attacks and users. One of not so common ways of doing is the use of security headers.
Security headers is an opt-in security enhancement that is specified by a web application through the use of a special response header. Once a supported browser receives this header that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS.

Below are the security response headers.

X-Frame-Options
This header can be used to indicate whether or not a browser should be allowed to render a page in a frame or iframe. Sites can use this to avoid clickjacking attacks by ensuring that their content is not embedded into other sites.

X-Content-Security-Policy
Content Security Policy is a security mechanism which allows mitigation against Cross Site Scripting and Cross Site Request Forgery attacks.

X-XSS-Protection
The X-XSS-Protection security header is honoured by IE 8 and 9. This header can be used to prevent reflected Cross Site Scripting attacks.

Strict-Transport-Security
This header instructs the browser that the website should only be served via HTTPS.

X-Content-Type-Options
With a defined value “nosniff” prevents IE and Chrome from using MIME-analysis instead of the declared content-type header for downloaded content. This reduces the risk of drive-by download attacks as well as sites that allow user uploaded content which may in some instances be interpreted as executable or dynamic HTML.

I often use the below code inside .htaccess file. The below code prevents x-frames, no inline scripts, no cross-domain requests. The only access it allows is for google analytics script to record onsite analytics.

<ifModule mod_headers.c>
 Header set Strict-Transport-Security "max-age=60"
 Header set X-Content-Type-Options "nosniff"
 Header set X-Frame-Options "SAMEORIGIN"
 Header set Content-Security-Policy "default-src 'self' google-analytics.com; style-src 'self' 'unsafe-inline'"
 Header set X-Content-Security-Policy "default-src 'self' google-analytics.com; style-src 'self' 'unsafe-inline'"
 Header set X-WebKit-CSP "default-srcs 'self' google-analytics.com; style-src 'self' 'unsafe-inline'"
 Header set X-XSS-Protection "1; mode=block"
</ifModule>

Reference Links:
HTTP Strict Transport Security
Content Security Policy

  • .htaccess
  • apache
  • http
  • security
  • Leave a Reply Cancel reply

    Your email address will not be published. Required fields are marked *

    *
    To prove you're a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
    Anti-spam image

    Tags

    .htaccess angular angular2 angular2-pipes angular4 angularjs apache bigdata blockchain children codeigniter computer graphics ethereum flot flot charts funny hadoop http javascript jquery kanban lena linux love math mathematics microsoft misc node js php phpframework php frameworks postgres pun-intended python react sass scrum scss silverstripe software ssl story valentines day wordpress

    Archives

    Recent Posts

    • Install only Postgres client 11 on Ubuntu 18.04
    • PostgreSQL – Granting access to users
    • Querying JSONB Postgres fields in SQLAlchemy
    • Angular – Writing unit tests for setTimeout in functions
    • Angular 6 – getting previous url from angular router
    ©2021 Nadzweb.com | Powered by WordPress & Superb Themes