Advanced Security Headers

February 13, 2020

I have some great security headers on this blog, but they are added using a single checkbox on the Sucuri WAF (web application firewall) this site uses. This is what they look like:

 x-xss-protection: 1; mode=block x-frame-options: SAMEORIGIN x-content-type-options: nosniff strict-transport-security: max-age=31536000 content-security-policy: upgrade-insecure-requests; referrer-policy: no-referrer-when-downgrade

But say you want to get more granular, or you don’t have the luxury of a WAF that does this for you, it’s actually fairly simple:

In apache add following entry in httpd.conf and restart the service

Header set X-XSS-Protection "1; mode=block"
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header always append X-Frame-Options SAMEORIGIN
Header set X-Content-Type-Options nosniff
Header set Content-Security-Policy "default-src 'self';"
Header set Referrer-Policy "no-referrer-when-downgrade"

In Nginx add the following to the nginx.conf under http directive

add_header X-XSS-Protection "1; mode=block";

the following under the SSL directive

add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';

the following under server directive

add_header X-Frame-Options “SAMEORIGIN”; add_header X-Content-Type-Options nosniff;
add_header Content-Security-Policy "default-src 'self';";
add_header Referrer-Policy no-referrer-when-downgrade;

And restart the service.

Some notes,

Ref: X-Frame-Options
DENY and ALLOW-FROM are also options, for ALLOW-FROM, see below:

#for multiple domains Apache Header set X-Frame-Options SAMEORIGIN Header append X-Frame-Options "ALLOW-FROM" Header append X-Frame-Options "ALLOW-FROM"
#for multiple domains Nginx
add_header X-Frame-Options "Allow-From";
add_header X-Frame-Options "Allow-From";

Further reading on Content Security Policy options

Further reading on Referrer Policy options

For comprehensive reading on what the hell these headers mean


Share this article:

eHost managed wordpress hosting

We’re listening.

Have something to say about this article? Share it with us on Facebook, Twitter or LinkedIn:


Related Posts

Delivering Enterprise-Grade Security for All

Delivering Enterprise-Grade Security for All

Cybersecurity continues to pose a challenge for businesses (and websites) of all sizes, and today, organizations face an evolving list of security threats and concerns. Businesses that fail to secure their digital experiences are increasingly vulnerable to attack from...

Popup Builder < 3.0 – SQL injection via PHP Deserialization

Popup Builder < 3.0 – SQL injection via PHP Deserialization

Description"The Popup Builder plugin 2.2.8 through for WordPress is vulnerable to SQL injection via PHP Deserialization on attacker-controlled data with the attachmentUrl POST variable. This allows creation of an arbitrary WordPress Administrator account,...

Get ALL Your SEO, WordPress & Divi News

Join Our Daily Roundup

SEO News and More

SEO News and More

Subscribe ToThe Weekly SEO Trade News Updates

Get the latest SEO, SEM and SMM marketing intel, tips and tricks from one of the best SEO Gurus online. 

Every Tuesday morning we send out an aggregated email listing all new posts on SEO Trade News.

Excellent! Now check your email to confirm your subscription.