.htaccess Security Headers

.htaccess Security Headers

The below headers can be added to any site’s .htaccess (with modifications) to help make it more secure. They can also be set on the server in the apache security.conf file.

By wary of the Content-Security-Policy as this is the one most likely to break a site and will need heavily modified to include all the scripts and style libraries you use on your website.

# Extra Security Headers
<IfModule mod_headers.c>
	Header set X-XSS-Protection "1; mode=block"
	Header always append X-Frame-Options SAMEORIGIN
	Header set X-Content-Type-Options nosniff
	Header set X-Permitted-Cross-Domain-Policies "none"
	Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
	Header set Referrer-Policy 'same-origin'
	# Header set Feature-Policy "geolocation 'self'; fullscreen 'self' https://www.google.com;"
	Header set Permissions-Policy "microphone=(), camera=(), geolocation=(self), fullscreen=(self \"https://www.youtube.com\"), accelerometer=(self \"https://www.youtube.com\"), autoplay=(self \"https://www.youtube.com\"), clipboard-write=(self \"https://www.youtube.com\"), encrypted-media=(self \"https://www.youtube.com\"), gyroscope=(self \"https://www.youtube.com\")"

	Header set Expect-CT enforce,max-age=2592000,report-uri="https://www.example.com/report"
	Header add Content-Security-Policy "default-src 'self' *.youtube.com *.youtube-nocookie.com *.bootstrapcdn.com *.gstatic.com *.googleapis.com *.doubleclick.net *.googletagmanager.com *.google-analytics.com *.google.com; connect-src 'self' *.google-analytics.com; style-src 'self' 'unsafe-inline' *.bootstrapcdn.com *.googleapis.com; script-src 'self' *.youtube.com *.youtube-nocookie.com *.google-analytics.com *.google.com *.googleapis.com *.googletagmanager.com *.jquery.com *.bootstrapcdn.com 'unsafe-inline';"
	SetEnvIf Origin "http(s)?://(www\.)?(example.co.uk|youtube.com)$" AccessControlAllowOrigin=$0$1
    Header add Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
    Header set Access-Control-Allow-Credentials true
</IfModule>

These can be tested here : https://www.serpworx.com/check-security-headers/

Content Security Policy can be tested before hand by using 

Content-Security-Policy-Report-Only

https://www.uriports.com/blog/creating-a-content-security-policy-csp/

More Reading for the new permissions policy header which replaces the Feature Policy header.

https://scotthelme.co.uk/goodbye-feature-policy-and-hello-permissions-policy/

Comments are closed.