HTTP Security Headers for Website

HTTP security headers provide an extra layer of security by defining policies that browsers must follow to protect websites from common attacks. Learn about important HTTP security headers and how to add them.

HTTP Security Headers for Website

HTTP security headers are response headers that are added by servers when sending a response to client browsers. HTTP security headers prevent different types of attacks and increase website security. In this post, we are going to show you what the most important HTTP security headers are and how they are added to the response. Following are the must be included security headers we will implement:

  • Content-Security-Policy (CSP).
  • Strict-Transport-Security (HSTS).
  • X-Content-Type-Options.
  • Cross-Origin-Resource-Policy (CORP).
  • Referrer-Policy.
  • Permissions-Policy.
  • X-Frame-Options.

HTTP security headers can be added in different ways depending on the server you are using. For the Apache server, security headers can be configured using .htaccess rules. For the Nginx server, security headers can be set using nginx.conf file. In this post, we are going to demonstrate how to add HTTP security headers in the .htaccess file. A simple example for adding a response header in the .htaccess:

<ifModule mod_headers.c>
Header set Cache-Control "max-age=691200, s-max-age=691200, public"
</ifModule>
 

Content-Security-Policy (CSP)

Content Security Policy, abbreviated as CSP, is the header that protects against Cross-Site Scripting XSS attacks by specifying what type of content is allowed to be loaded by the browsers. SCP header can be added in htaccess like this:

Header set Content-Security-Policy: default-src "self"; script-src "self"; frame-ancestors "self";
 

Strict-Transport-Security (HSTS)

HTTP Strict Transport Security, abbreviated as HSTS, is a header that ensures server and browser communication takes place using the HTTPS protocol and not HTTP. It helps reduce the risk of man-in-the-middle attacks. HSTS header can be added in htaccess like this:

Header set Strict-Transport-Security: max-age=31536000; includeSubDomains;
 

X-Content-Type-Options

This header, when added, tells the browser to strictly follow the MIME types defined in the Content-Type header and not interpret MIME types differently. This header has a value nosniff and can be added like this:

Header set X-Content-Type-Options: "nosniff"
 

Cross-Origin-Resource-Policy (CORP)

This header, when present, restricts and limits the resource-sharing policy to prevent resources from being accessed by other domains. This header protects against cross-origin attacks and can be added in htaccess like this:

Header set Cross-Origin-Resource-Policy: "same-origin"
 

Referrer-Policy

This header, when set, defines how much referrer information should be sent to the server along with other request headers. This helps limit the referrer information for privacy related reasons. This header can be added in htaccess like this:

Header set Referrer-Policy "same-origin"
 

Permissions-Policy

This header defines which features or API in the browser are allowed for use. This header is mainly used for privacy related reasons and can be added in htaccess like this:

Header set Permissions-Policy microphone=(), camera=(), geolocation=()
 

X-Frame-Options (Deprecated)

X frame options header is the header that controls if the browser can display a page in <frame>, <iframe>, <embed>, <object> or <applet> elements. This header has been deprecated and frame options should be controlled in the CSP header. This header was used to prevent the clickjacking attacks by controlling and can be added in htaccess like this:

Header set X-Frame-Options: "SAMEORIGIN"

This header is now largely replaced by the frame-ancestors directive in CSP. We explained what the essential HTTP headers are mostly used for and how to add them with .htaccess to enhance the website's security. Always test your security headers using tools like browser developer tools or online security scanners to avoid breaking your website functionality.