When building a new website, I always make sure it goes through a series of checklists before deploying.
One of the things on my checklist is securing the HTTP response headers.
By securing the HTTP security headers of your website, you’ll prevent common attacks such as:
- Framing or clickjacking
- Cross-site scripting (XSS)
- Drive-by downloads
- SSL stripping
Before we get started, go ahead and test the security of your website headers right now using: securityheaders.com
NOTE: The following HTTP Security Header snippets are placed in the .htaccess file.
1. The X-Frame-Options Header
This snippet will prevent browsers from executing your site in an iframe. Essentially, it’ll prevent attackers from clickjacking, or showing your content on their site in the form of an iframe.
The disadvantage to this however, is iframe will be disabled completely. You won’t be able to view your site from stumbleupon or use tools such as mobiletest.me.
<IfModule mod_headers.c> Header always append X-Frame-Options “sameorigin" </IfModule>
2. The X-XSS-Protection Header
This snippet will activate the cross-site scripting (XSS) filters used by most modern browsers (ie. Chrome, IE), which helps protect your site from certain cross-site scripting attacks.
<IfModule mod_headers.c> Header set X-XSS-Protection "1; mode=block" </IfModule>
3. The X-Content-Type-Options Header
This snippet will reduce the risk of drive-by downloads on your site by stopping the browser from executing the wrong MIME and forcing it to stick with the declared content-type.
<IfModule mod_headers.c> Header set X-Content-Type-Options "nosniff” </IfModule>
4. The Strict Transport Security Header
This snippet will enforce the use of strict transport security, which will force the browser to access your website only through a safe HTTPS connection. The max-age is set to 31,536,000 which is approximately 1 year.
<IfModule mod_headers.c> Header set Strict-Transport-Security "max-age=31536000" </IfModule>
After adding the snippets via .htaccess, go ahead and run your site through securityheaders.com again to see if you did everything correctly.