2022-02-03 | 1630 
Print 
PDF
HTTP response header helps to forward additional information about a hypertext transfer protocol with the request a browser makes to a URL, one of the merits of this is it prevents information disclosure, and how a web browser interacts with the website what functions the browser can utilize from the website.
The balance between usability and security strikes a tough bargain for developers when implementing functionality through the headers that can make applications more versatile or secure. But in practice, how are the headers being implemented? Does your site follow the best implementation practices?
Using the right Security Header Response policies adds another security level that can stop common attacks such as code injection, cross-site scripting attacks, and clickjacking to mention a few. For most CMS sites such as WordPress and hosts using Apache servers, these Header Response policies can be set via the .htaccess file.
1.) X-Frame Security Policy
The 'X Frame Options' Security header is one of the easier policies to implement. It provides clickjack protection by preventing your website from being shown in frames or tags by another URL websites.
By adding the below code to the top of your .htaccess file you'll add the 'X Frame Options' response header to your site and will only allow your site to be framed by your own domain name, you can also use the options "deny" in the option to call your Header to the browser not to embed web pages in iframe options
Header set X-Frame-Options "sameorigin"
2.) Content Security Policy
CSP or Content Security Policy response header prevents code injection or cross-site scripting attack by denying the execution of malicious contents from untrusted sites. CSP header instructs the browser from which location and which type of resources are allowed to be loaded in short it controls the domain URLs that are permitted to interact with your site resources, meaning any outbound or external URL resources will not be permitted to load your website resources if they are not added to your Content Security Policy and then have the appropriate rules applied against them. You can deploy the code below for better execution of the CSP.
Header set Content-Security-Policy "default-src * data:; script-src https: 'unsafe-inline' 'unsafe-eval'; style-src https: 'unsafe-inline'"
3.) X-XSS-Protection Policy
X-XSS-Protection security header response is one of the security policies designed to protect your website against cross-site scripting aka xss attack what it does is to enable the cross-site scripting filter which is found on modern browsers like chrome and Mozilla.
The best configuration for this .htaccess code will enable the XSS filter and add another layer of security to your site:
Header set X-XSS-Protection "1; mode=block"
4.) X Content-Type Options
The X Content-Type Options security header provides protection against MIME sniffing attacks. The header will instruct the browser that content type should not be changed and be followed.
To add this security header to your site simply add the below code to your htaccess file:
Header set X-Content-Type-Options "nosniff"
5.) X Permitted Cross-Domain Policy
This policy prevents any Adobe resources on your sites like PDF's and Flash from being abused. By adding the below htaccess snippet you'll prevent hotlinking and stop resource abuse from other sites that try to load your site's assets.
To add this security header to your site simply add the below code to your htaccess file:
Header set X-Permitted-Cross-Domain-Policies "none"
6.) Strict Transport Policy
The strict transport security header forces the web browser to ensure all communication is sent via a secure HTTPS connection. If your site is serving mixed content then implementing this will break your site. Ensure that all URLs are being served as HTTPS before adding this to your .htaccess file.
To add this security header to your site simply add the below code to your htaccess file:
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
7.) Refer to Security Policy
The 'Referrer Policy' header controls what information is passed on to the next site whenever a link is clicked on your site. Its purpose is to prevent 'Reverse TabNapping' used in phishing attacks.
If an external link has the target="_blank" attribute value it provides partial access to the referring page via the 'window. opener object'. A Referrer-Policy helps to prevent phishing attacks by restricting access to the 'window. opener object'.
There are a few options when setting the correct 'Referrer Policy' and you need to be careful not to set a policy that is too strict if your site deals with affiliate links.
To add this security header to your site simply add the below code to your .htaccess file:
Header set Referrer-Policy "no-referrer-when-downgrade"
7.) Feature Policy Header
The 'Feature Policy' security header controls what features the web browser can use while users are on your site or viewing your site through an iframe. There is a long list of features that web browsers use such as geolocation, microphones, cameras, etc. The 'Feature Policy' controls which of those features may be used on your site and which origin URLs are allowed to control them.
Recommended Read: Feature Policy implementation guide
For most of my sites I use this simple policy which does the following:
Header set Feature-Policy "camera 'none'; fullscreen 'self'; geolocation *; microphone 'self' https://www.example/*"
8.) Expect CT Header Policy
The Expect CT header policy instructs web browsers to either report or enforce Certificate Transparency requirements. This can stop miss-issued SSL certificates and can be set to either report mode or enforce mode.
Without an 'Expect CT' It's much easier for attackers to utilize miss-issued certificates. If you're going to set it to enforce mode then you definitely need to exercise caution to ensure everything is configured correctly with your SSL. On the majority of my sites I use the full enforce mode as per the below example:
Header set Expect-CT: enforce, max-age=31536000, report-uri="https://your.report-uri.com/r/d/ct/enforce"
You can also just use the report only mode like this:
Header set Expect-CT: max-age=31536000, report-uri="https://your.report-uri.com/r/d/ct/report"
I will advise before deployment you need to ask for support from your host provider to know what features they support, while some of these security measures will work for some websites, I could only get 6 to work for me due to my SSL type (not wild card and resources are a mix of HTTP and HTTPS)
the code below are the ones that worked:
Header set Feature-Policy "camera 'none'; fullscreen 'self'; geolocation *; microphone 'self' https://www.domain.com/*"
Header set Referrer-Policy "no-referrer-when-downgrade"
Header set X-Frame-Options "sameorigin"
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options "nosniff"
Header set X-Permitted-Cross-Domain-Policies "none"
Recommended: You can read one of my old post on how to fight internet fraud with website security rules
I am a seo web analyst and have a love for anything online marketing. Have been able to perform researches using the built up internet marketing tool; seo web analyst as a case study and will be using the web marketing tool (platform).
Importance Of Local SEO Business Listings
Top Digital Marketing Skills Required For Digital Marketers
QR Code Marketing and Promotion Ideas
How To Monitor Google Ads Performance Using Analytics
How To Reactivate Google Adsense Account
How To Disable Server Signature Using htaccess
How To Use Whatsapp Business Marketing Strategy
How To Boost Linkedin Post Business Page View
How To Optimize Google My Business Listing
