Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


[Web-App] Setting your security headers...
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

[Web-App] Setting your security headers...

So a commonly missed security practice is setting response headers within a webserver to instruct a web-browser about how to handle script includes, framing and other things.

I'm sure we've all heard of Securityheaders.io which will analyse your pages headers and tell you which are missing.

The following is my .htaccess file, as you can see apache and litespeed will handle this file and set the headers specified. This could be set within the virtualhosts directive, or in the main http configuration. I've set it here because of ease on shared hosting.

.htaccess Options -Indexes Header set X-Frame-Options DENY Header set X-XSS-Protection "1; mode=block Header set X-Content-Security-Policy "allow 'self';" Header set X-Content-Type-Options "nosniff" Header set Content-Security-Policy: script-src 'self'

Before:

After:

Hopefully this has been helpful for you, other headers such as Strict-Transport-Security (STS) and Public-Key-Pinning (PKP) can be set to further harden your website in the eyes of a browser, to help keep your visitors safe from potential threats in-line.

I find that these headers are generally missing from 99% of client-sites that I test, for a very easy change to make, there's usually no good reason to not implement these headers.

Headers by default in apache and IIS send back version information, this can be disabled by either changing the webserver to production mode or by removing these X-Powered-By: Headers.

Thanked by 3yomero Shade seikan
Sign In or Register to comment.