Secure your website with .htaccess tricks below
When it comes to securing your website, it’s all about minimizing attack surface and adding more layers of security. One strong layer that you can (and should) add is proper HTTP security headers. When responding to requests, your server should include security headers that help stop unwanted activity like XSS, MITM, and click-jacking attacks. While sending security headers does not guarantee 100% defence against all such attacks, it does help modern browsers keep things secure.
You can add the following code directly to you .htaccess file for your Apache Server.
X-Frame-Options (XFO) security header helps modern web browsers protect your visitors against clickjacking and other threats. Here is the recommended configuration for this header:
# X-Frame-Options <IfModule mod_headers.c> Header set X-Frame-Options "SAMEORIGIN" </IfModule>
X-Content-Type-Options security header enables supportive browsers to protect against MIME-type sniffing exploits. It does this by disabling the browser’s MIME sniffing feature, and forcing it to recognize the MIME type sent by the server. This header is very flexible and may be configured extensively, however the most common implementation looks like this:
# X-Content-Type-Options <IfModule mod_headers.c> Header set X-Content-Type-Options "nosniff" </IfModule>
X-XSS-Protection security header enables the XSS filter provided by modern web browsers (IE8+, Chrome, Firefox, Safari, et al). Here is the recommended configuration for this header:
# X-XSS-Protection <IfModule mod_headers.c> Header set X-XSS-Protection "1; mode=block" </IfModule>
Strict-Transport-Security (<abbr=”http strict=”” transport=”” security”=””>HSTS) header instructs modern browsers to always connect via HTTPS (secure connection via SSL/TLS), and never connect via insecure HTTP (non-SSL) protocol. While there are variations to how this header is configured, the most common implementation looks like this:</abbr=”http>
# Strict-Transport-Security <IfModule mod_headers.c> Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains" </IfModule>
Referrer-Policy security header instructs modern browsers how to handle or exclude the
Referer header (yes the header normally is spelled incorrectly, missing an “r”). For those who may not be familiar, the
Referer header contains information about where a request is coming from. So for example if you are at
example.com and click a link from there to
Referer header would specify
example.com as the “referring” URL.
With that in mind, the
Referrer-Policy enables you to control whether or not the
Referer header is included with the request. Here is an example showing how to add the
Referrer-Policy header via Apache:
# Referrer-Policy <IfModule mod_headers.c> Header set Referrer-Policy "same-origin" </IfModule>
Permissions-Policy header tells modern browsers which browser features are allowed. For example, if you want to ensure that only geolocation and vibrate features are allowed, you can configure the
Permissions-Policy header accordingly. It also enables you to control the origin for each specified feature. Here is an example showing how to add a
Permissions-Policy header via Apache:
# Permissions-Policy <IfModule mod_headers.c> Header set Permissions-Policy "geolocation 'self'; vibrate 'none'" </IfModule>
Content-Security-Policy (CSP) header tells modern browsers which dynamic resources are allowed to load. This header is especially helpful at stopping XSS attacks and other malicious activity. This header provides extensive configuration options, which will need to be fine-tuned to match the specific resources required by your site. Otherwise if the header configuration does not match your site’s requirements, some resources may not load (or work) properly.
Because of this, there isn’t one most common example to look at. So instead here are a few different examples, each allowing different types of resources.
here is the directive I use on most of my WordPress-powered sites. Logically these sites tend to use the same types of resources, so I can keep things simple and use the following code on all sites:
# Content-Security-Policy - Example 3 <IfModule mod_headers.c> Header set Content-Security-Policy "default-src https:; font-src https: data:; img-src https: data:; script-src https:; style-src https:;" </IfModule>
# Security Headers Header set X-XSS-Protection "1; mode=block" Header set X-Frame-Options "SAMEORIGIN" Header set X-Content-Type-Options "nosniff" Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains" # Header set Content-Security-Policy ... Header set Referrer-Policy "same-origin" Header set Feature-Policy "geolocation 'self'; vibrate 'none'"
You can test your site’s security headers settings at https://securityheaders.com/
I hope this was useful to help you understand your website security. Share for others to learn.