Reputation: 89
How to add HTTP security headers?
How can I add the following security headers to my website?
X-Frame-Options - Protects against Clickjacking attacks
X-XSS-Protection - Mitigates Cross-Site Scripting (XSS) attacks
X-Content-Type-Options - Prevents possible phishing or XSS attacks
Upvotes: 5
Views: 14152
Answers (1)
Reputation: 4043
Two ways you can add these headers:
Apache Conf or .htaccess File
<IfModule mod_headers.c>
Header set X-Frame-Options "DENY"
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options "nosniff"
</IfModule>
The Apache/htaccess approach is most likely the preferred way. If you add it to your configuration file, which may be in your httpd.conf or it could be in a vhost configuration file (really depends on how the server is setup), you would place it within a <Directory> element. To use .htaccess the configuration for the site must have AllowOverride All. While it's pretty standard, you must have the mod_headers library installed in Apache as well.
PHP
header('X-Frame-Options: DENY');
header('X-XSS-Protection: 1; mode=block');
header('X-Content-Type-Options: nosniff');
With the PHP approach, you will need to write this to every response, so if you do not have a bootstrap that can do this, I'd recommend leveraging either your apache configuration file or the .htaccess file.
Upvotes: 16
Related Questions
- add http header to wordpress
- enable Apache http Authorization header
- how to set headers in php for safety
- .htaccess security headers not appearing in requests
- How do I implement HTTP headers into my website?
- Troubles with add http headers php
- HTTP header authorization using PHP
- Headers for security
- How can I add an HTTP header in my Wordpress implementation
- securing a webpage without headers