Home » Mobile Development, Software Development

Security response headers implementation in Apache

1 August 2013 No Comment

There are many ways to secure a website against malicious attacks and users. One of not so common ways of doing is the use of security headers.
Security headers is an opt-in security enhancement that is specified by a web application through the use of a special response header. Once a supported browser receives this header that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS.

Below are the security response headers.

X-Frame-Options
This header can be used to indicate whether or not a browser should be allowed to render a page in a frame or iframe. Sites can use this to avoid clickjacking attacks by ensuring that their content is not embedded into other sites.

X-Content-Security-Policy
Content Security Policy is a security mechanism which allows mitigation against Cross Site Scripting and Cross Site Request Forgery attacks.

X-XSS-Protection
The X-XSS-Protection security header is honoured by IE 8 and 9. This header can be used to prevent reflected Cross Site Scripting attacks.

Strict-Transport-Security
This header instructs the browser that the website should only be served via HTTPS.

X-Content-Type-Options
With a defined value “nosniff” prevents IE and Chrome from using MIME-analysis instead of the declared content-type header for downloaded content. This reduces the risk of drive-by download attacks as well as sites that allow user uploaded content which may in some instances be interpreted as executable or dynamic HTML.

I often use the below code inside .htaccess file. The below code prevents x-frames, no inline scripts, no cross-domain requests. The only access it allows is for google analytics script to record onsite analytics.

<ifModule mod_headers.c>
 Header set Strict-Transport-Security "max-age=60"
 Header set X-Content-Type-Options "nosniff"
 Header set X-Frame-Options "SAMEORIGIN"
 Header set Content-Security-Policy "default-src 'self' google-analytics.com; style-src 'self' 'unsafe-inline'"
 Header set X-Content-Security-Policy "default-src 'self' google-analytics.com; style-src 'self' 'unsafe-inline'"
 Header set X-WebKit-CSP "default-srcs 'self' google-analytics.com; style-src 'self' 'unsafe-inline'"
 Header set X-XSS-Protection "1; mode=block"
</ifModule>

Reference Links:
HTTP Strict Transport Security
Content Security Policy

Leave your response!

Add your comment below, or trackback from your own site. You can also subscribe to these comments via RSS.

Be nice. Keep it clean. Stay on topic. No spam.

You can use these tags:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This is a Gravatar-enabled weblog. To get your own globally-recognized-avatar, please register at Gravatar.

*
To prove you're a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
Anti-spam image