
JavaScript is disabled by your browser. Many features will not work.
HTTP response headers can protect your website against attack. Here are the response headers that I consider to be the most important.
The Strict-Transport-Security HTTP response header lets a website tell browsers that it should only be accessed using https for a set period of time, instead of using http.
Now enter the following code:
Afterwards, go to /etc/apache2/sites-available and find your ssl.conf file. Enter the following code:
You can check the status of your website's HTTP headers by using the WebTracker.one whois search.
A search done for this site returns these results:
HTTP Headers:
HTTP/1.1 200 OK
Date: Mon, 11 Jul 2022 00:36:10 GMT
Server: Apache
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Vary: Accept-Encoding
X-XSS-Protection: 1; mode=block
Accept-CH: sec-ch-ua, ua, sec-ch-ua-platform, ua-platform, sec-ch-ua-mobile, ua-mobile, sec-ch-ua-full-version, ua-full-version, sec-ch-ua-full-version-list, sec-ch-ua-platform-version, ua-platform-version, sec-ch-ua-arch, ua-arch, sec-ch-ua-bitness, ua-bitness, sec-ch-ua-wow64, sec-ch-ua-model, ua-model, sec-ch-lang, lang, sec-ch-save-data, save-data, sec-ch-width, width, sec-ch-viewport-width, viewport-width, sec-ch-viewport-height, viewport-height, sec-ch-dpr, dpr, sec-ch-device-memory, device-memory, sec-ch-rtt, rtt, sec-ch-downlink, downlink, sec-ch-ect, ect, sec-ch-prefers-color-scheme, sec-ch-prefers-reduced-motion, sec-ch-prefers-reduced-transparency, sec-ch-prefers-contrast, sec-ch-forced-colors
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
The Strict-Transport-Security HTTP response header lets a website tell browsers that it should only be accessed using https for a set period of time, instead of using http.
Recommended setting: Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadThe X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a frame, iframe or object. Sites can use this to avoid framejacking attacks, by ensuring that their content is not embedded into other sites.
See Mozilla Strict-Transport-Security
Note: The max-age in seconds is subjective.
Recommended setting: X-Frame-Options: SAMEORIGINThe X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.
See Mozilla X-Frame-Options
Recommended setting: X-XSS-Protection: 1; mode=blockThe X-Content-Type-Options response header is a marker used by the server to indicate that the Multipurpose Internet Mail Extensions (MIME) types advertised in the Content-Type headers should not be changed by the browser.
Note: Newer browsers have disabled XSS filtering, making this header irrelevant. It has generally been replaced by Content-Security-Policy, which can break inline scripts. Therefore, I don't use the Content-Security-Policy header. See Mozilla X-XSS-Protection
Recommended setting: X-Content-Type-Options: nosniffIf your web server is a Debian/Ubuntu type, then enter the following command to begin entering these settings:
See Mozilla Content-Type
MIME sniffing is a technique used by some web browsers to examine the content of a particular asset. This is done for the purpose of determining an asset's file format. (E.g. is the file type jpg or html?)
MIME type examples: Content-Type: image/jpg Content-Type: text/html
sudo nano /etc/apache2/apache2.conf
Now enter the following code:
#protect against Framejacking attacks
Header always append X-Frame-Options SAMEORIGIN
#add nosniff
Header always set X-Content-Type-Options 'nosniff'
Header always append X-Frame-Options SAMEORIGIN
#add nosniff
Header always set X-Content-Type-Options 'nosniff'
Afterwards, go to /etc/apache2/sites-available and find your ssl.conf file. Enter the following code:
# Strict Transport Security (HSTS) - Guarantee HTTPS for 1 Year including Sub Domains
Header always set Strict-Transport-Security 'max-age=31536000; includeSubDomains'
Header always set Strict-Transport-Security 'max-age=31536000; includeSubDomains'
You can check the status of your website's HTTP headers by using the WebTracker.one whois search.
A search done for this site returns these results:
HTTP Headers:
HTTP/1.1 200 OK
Date: Mon, 11 Jul 2022 00:36:10 GMT
Server: Apache
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Vary: Accept-Encoding
X-XSS-Protection: 1; mode=block
Accept-CH: sec-ch-ua, ua, sec-ch-ua-platform, ua-platform, sec-ch-ua-mobile, ua-mobile, sec-ch-ua-full-version, ua-full-version, sec-ch-ua-full-version-list, sec-ch-ua-platform-version, ua-platform-version, sec-ch-ua-arch, ua-arch, sec-ch-ua-bitness, ua-bitness, sec-ch-ua-wow64, sec-ch-ua-model, ua-model, sec-ch-lang, lang, sec-ch-save-data, save-data, sec-ch-width, width, sec-ch-viewport-width, viewport-width, sec-ch-viewport-height, viewport-height, sec-ch-dpr, dpr, sec-ch-device-memory, device-memory, sec-ch-rtt, rtt, sec-ch-downlink, downlink, sec-ch-ect, ect, sec-ch-prefers-color-scheme, sec-ch-prefers-reduced-motion, sec-ch-prefers-reduced-transparency, sec-ch-prefers-contrast, sec-ch-forced-colors
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
* posted by Robert on Sun, Jul 10, 2022