Advanced Security Headers

I have some great security headers on this blog, but they are added using a single checkbox on the Sucuri WAF (web application firewall) this site uses. This is what they look like:

 x-xss-protection: 1; mode=block
 x-frame-options: SAMEORIGIN
 x-content-type-options: nosniff
 strict-transport-security: max-age=31536000
 content-security-policy: upgrade-insecure-requests;
 referrer-policy: no-referrer-when-downgrade

But say you want to get more granular, or you don’t have the luxury of a WAF that does this for you, it’s actually fairly simple:

In apache add following entry in httpd.conf and restart the service

Header set X-XSS-Protection "1; mode=block"
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header always append X-Frame-Options SAMEORIGIN
Header set X-Content-Type-Options nosniff
Header set Content-Security-Policy "default-src 'self';"
Header set Referrer-Policy "no-referrer-when-downgrade"

In Nginx add the following to the nginx.conf under http directive

add_header X-XSS-Protection "1; mode=block";

the following under the SSL directive

add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';

the following under server directive

add_header X-Frame-Options “SAMEORIGIN”; 
add_header X-Content-Type-Options nosniff;
add_header Content-Security-Policy "default-src 'self';";
add_header Referrer-Policy no-referrer-when-downgrade;

And restart the service.

Some notes,

Ref: X-Frame-Options
DENY and ALLOW-FROM are also options, for ALLOW-FROM, see below:

#for multiple domains Apache
 Header set X-Frame-Options SAMEORIGIN
 Header append X-Frame-Options "ALLOW-FROM"  
 Header append X-Frame-Options "ALLOW-FROM"
#for multiple domains Nginx
add_header X-Frame-Options "Allow-From";
add_header X-Frame-Options "Allow-From";

Further reading on Content Security Policy options

Further reading on Referrer Policy options

For comprehensive reading on what the hell these headers mean

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.