How to Implement Security HTTP Headers

Today more and more websites are getting compromised and vital important data is being exposed to hackers. Most of this is due to misconfiguration or lack of protection from the hosting company or a web designer that just wants to make the site work. If you are a website owner ensure that your webdesigner and server administrator protects your website from Clickjacking, code injection, MIME types, XSS (cross-site scripting), etc.

Modern browsers support many HTTP headers that can improve web application security to protect against clickjacking, cross-site scripting, and other common attacks. and these can be protected very easily by just adding a few lines of code into your htaccess file if you are using an Apache or Lightspeed Webserver or NGINX configuration file, depending on the webserver technology you are using.

The following video will show you how you can implement these easy steps.



It would be best if you make a backup of your htaccess file before you make any changes just in case you break things. I will also have a link to references so you you can have a description of what each of the settings mean.

Implementing HTTP Security Headers in Apache or Lightspeed

# BEGIN MODULE HEADERS

Header always set Strict-Transport-Security "max-age=31536000;"
Header always set x-xss-protection "1; mode=block"
Header always set x-frame-options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set Cache-Control "max-age=2628000, public"
Header always set Referrer-Policy "no-referrer-when-downgrade"
Header always set Content-Security-Policy "upgrade-insecure-requests"
Header always set Permissions-Policy "geolocation=(); midi=();notifications=();>

# END MODULE HEADERS

Implementing HTTP Security Headers in NGINX

Add the following Lines to your nginx.conf file (usually located /etc/nginx/nginx.conf). Be sure to check the details of the lines to be sure these are the policies you wish to restrict.

add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
add_header X-Frame-Options 'deny';
add_header X-Content-Type-Options nosniff;
add_header Content-Security-Policy "img-src 'self' data:;";
add_header X-Permitted-Cross-Domain-Policies master-only;
add_header Referrer-Policy same-origin;
add_header Permissions-Policy "vibrate 'none';";
add_header Clear-Site-Data "cookies";

Summary

Implementing security headers on your website or webserver will prevent hackers from probing your server to see if there are any vulnerablities they can exploit. As well, they will prevent giving the hackers more information about your network, which then they can continue to probe further, looking for a security hole to exploit.

Clustered Networks

Located in Edmonton, AB Canada, Clustered Networks was Incorporated in 2001 and has offered Network / Internet and IT Consulting services for over 20 years. We offer personalized service! Call Us Today! - Click Here for our Contact Info

#securityheaders #webserver #security

Posted in Linux Network Admin Tips, Network Security Tips, Tech How To on Oct 08, 2021