I have some great security headers on this blog, but they are added using a single checkbox on the Sucuri WAF (web application firewall) this site uses. This is what they look like:

 x-xss-protection: 1; mode=block x-frame-options: SAMEORIGIN x-content-type-options: nosniff strict-transport-security: max-age=31536000 content-security-policy: upgrade-insecure-requests; referrer-policy: no-referrer-when-downgrade

But say you want to get more granular, or you don’t have the luxury of a WAF that does this for you, it’s actually fairly simple:

In apache add following entry in httpd.conf and restart the service

Header set X-XSS-Protection "1; mode=block"
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header always append X-Frame-Options SAMEORIGIN
Header set X-Content-Type-Options nosniff
Header set Content-Security-Policy "default-src 'self';"
Header set Referrer-Policy "no-referrer-when-downgrade"

In Nginx add the following to the nginx.conf under http directive

add_header X-XSS-Protection "1; mode=block";

the following under the SSL directive

add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';

the following under server directive

add_header X-Frame-Options “SAMEORIGIN”; add_header X-Content-Type-Options nosniff;
add_header Content-Security-Policy "default-src 'self';";
add_header Referrer-Policy no-referrer-when-downgrade;

And restart the service.

Some notes,

Ref: X-Frame-Options
DENY and ALLOW-FROM are also options, for ALLOW-FROM, see below:

#for multiple domains Apache Header set X-Frame-Options SAMEORIGIN Header append X-Frame-Options "ALLOW-FROM https://www.domain.com/" Header append X-Frame-Options "ALLOW-FROM https://domain.com/"
#for multiple domains Nginx
add_header X-Frame-Options "Allow-From domain.com";
add_header X-Frame-Options "Allow-From www.domain.com";

Further reading on Content Security Policy options

Further reading on Referrer Policy options

For comprehensive reading on what the hell these headers mean

First seen on: https://300m.com/security/advanced-security-headers/

Share This: