Security response headers implementation in Apache

There are many ways to secure a website against malicious attacks and users. One of not so common ways of doing is the use of security headers.
Security headers is an opt-in security enhancement that is specified by a web application through the use of a special response header. Once a supported browser receives this header that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS.

Below are the security response headers.

X-Frame-Options
This header can be used to indicate whether or not a browser should be allowed to render a page in a frame or iframe. Sites can use this to avoid clickjacking attacks by ensuring that their content is not embedded into other sites.

X-Content-Security-Policy
Content Security Policy is a security mechanism which allows mitigation against Cross Site Scripting and Cross Site Request Forgery attacks.

X-XSS-Protection
The X-XSS-Protection security header is honoured by IE 8 and 9. This header can be used to prevent reflected Cross Site Scripting attacks.

Strict-Transport-Security
This header instructs the browser that the website should only be served via HTTPS.

X-Content-Type-Options
With a defined value “nosniff” prevents IE and Chrome from using MIME-analysis instead of the declared content-type header for downloaded content. This reduces the risk of drive-by download attacks as well as sites that allow user uploaded content which may in some instances be interpreted as executable or dynamic HTML.

I often use the below code inside .htaccess file. The below code prevents x-frames, no inline scripts, no cross-domain requests. The only access it allows is for google analytics script to record onsite analytics.

<ifModule mod_headers.c>
 Header set Strict-Transport-Security "max-age=60"
 Header set X-Content-Type-Options "nosniff"
 Header set X-Frame-Options "SAMEORIGIN"
 Header set Content-Security-Policy "default-src 'self' google-analytics.com; style-src 'self' 'unsafe-inline'"
 Header set X-Content-Security-Policy "default-src 'self' google-analytics.com; style-src 'self' 'unsafe-inline'"
 Header set X-WebKit-CSP "default-srcs 'self' google-analytics.com; style-src 'self' 'unsafe-inline'"
 Header set X-XSS-Protection "1; mode=block"
</ifModule>

Reference Links:
HTTP Strict Transport Security
Content Security Policy

Add a Comment

Your email address will not be published. Required fields are marked *

*
To prove you're a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
Anti-spam image