Enabling HTTP Security Headers in Nginx \/ Apache<\/h2>\n\n\n\n
The HTTP security headers that will be covered in this guide are:<\/p>\n\n\n\n
- \n
- HTTP Strict Transport Security (HSTS)<\/li>\n\n\n\n
- Content Security Policy (CSP)<\/li>\n\n\n\n
- X-Frame-Options<\/li>\n\n\n\n
- X-XSS-Protection<\/li>\n\n\n\n
- X-Content-Type-Options<\/li>\n\n\n\n
- Feature-Policy<\/li>\n\n\n\n
- Permissions-Policy<\/li>\n\n\n\n
- Expect-CT<\/li>\n<\/ul>\n\n\n\n
These headers can be applied globally or to a specific site in the Nginx\/Apache virtual host file by adding the HTTP Security Headers to the server block.<\/p>\n\n\n\n
Now let’s plunge in!<\/p>\n\n\n\n
1. HTTP Strict Transport Security (HSTS)<\/h3>\n\n\n\n
This header is used to allow the user agent to use an HTTPS<\/em><\/strong> connection only. It is normally declared using the
Strict-Transport-Security<\/code>variable. This enhances the site’s security by ensuring that the connection through susceptible and insecure HTTP cannot be established.<\/p>\n\n\n\nThis header can be implemented by adding the following entry to your virtual host file.<\/p>\n\n\n\n
For Apache:<\/p>\n\n\n\n
Header set Strict-Transport-Security \"max-age=31536000; includeSubDomains; preload\"<\/code><\/pre>\n\n\n\nFor Nginx<\/p>\n\n\n\n
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';<\/code><\/pre>\n\n\n\nBelow is an example of the Nginx config file with the added HTTP Strict Transport Security (HSTS) header.<\/p>\n\n\n\n
upstream portal {\n server localhost:8080;\n}\nserver {\nlisten 80;\n server_name portal.test;\n add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';\n location \/ {\n proxy_pass http:\/\/portal;\n }\n}<\/code><\/pre>\n\n\n\nOnce the file has been added, restart the webserver to apply the changes.<\/p>\n\n\n\n
2. X-Frame-Options<\/h3>\n\n\n\n
This header defends the website against clickjacking attacks by incapacitating iframes on your site. It will tell the browser whether to embed your website in an iframe or not. It is currently supported on Chrome 4.1+, Firefox 3.6.9+, IE 8+, Safari 4+, and Opera 10.5+. <\/p>\n\n\n\n
Normally, there are 3 ways in which this header can be configured. These are:<\/p>\n\n\n\n
- \n
- DENY<\/strong> – This option disables the iframe features completely.<\/li>\n\n\n\n
- SAMEORIGIN<\/strong> – allows iframe features to be used by anyone from the same origin.<\/li>\n\n\n\n
- ALLOW-FROM<\/strong> – allows iframe feature from specific URLs<\/li>\n<\/ul>\n\n\n\n
Below is an illustration of how the X-Frame-Options header can be configured.<\/p>\n\n\n\n
For Apache:<\/p>\n\n\n\n
Header always set X-Frame-Options \"SAMEORIGIN\"<\/code><\/pre>\n\n\n\nFor Nginx.<\/p>\n\n\n\n
add_header X-Frame-Options \"SAMEORIGIN\";<\/code><\/pre>\n\n\n\nOnce the changes have been saved, restart the webserver.<\/p>\n\n\n\n
3. Content Security Policy(CSP)<\/h3>\n\n\n\n
This provides security against XSS(Cross-Site Scripting) and other code injection attacks. This is done by defining the approved content sources that allow the browser to load them. There are many derivatives that can be used in the
Content-Security-Policy<\/code>entry.<\/p>\n\n\n\nFor example, the below scripts allow content from the current domain(self<\/em><\/strong>)<\/p>\n\n\n\n
For Apache.<\/p>\n\n\n\n
Header always set Content-Security-Policy \"default-src 'self'; font-src *;img-src * data:; script-src *; style-src *;\"<\/code><\/pre>\n\n\n\nFor Nginx.<\/p>\n\n\n\n
add_header Content-Security-Policy \"default-src 'self'; font-src *;img-src * data:; script-src *; style-src *\";<\/code><\/pre>\n\n\n\nSave the changes and reload the browser.<\/p>\n\n\n\n
4. X-XSS-Protection<\/h3>\n\n\n\n
X-XSS-Protection\/Cross-Site Scripting header is used to protect the website against attacks by enabling the cross-site scripting (XSS) filter. This feature is enabled by default in modern browsers such as Safari, Internet Explorer 8+, and Google Chrome. This header normally prevents the page from loading whenever cross-site scripting (XSS) attacks are detected.<\/p>\n\n\n\n
The header can be implemented in the following ways:<\/p>\n\n\n\n
- \n
- X-XSS-Protection: 0 <\/strong>– disables the filter completely.<\/li>\n\n\n\n
- X-XSS-Protection: 1<\/strong> – enforces the header but only sanitizes potential malicious scripts.<\/li>\n\n\n\n
- X-XSS-Protection: 1; mode=block<\/strong> – enforces the feature and completely blocks the page.<\/li>\n<\/ul>\n\n\n\n
This feature can be enabled on your Web server by adding the desired implementation in your server block. For example:<\/p>\n\n\n\n
For Apache<\/p>\n\n\n\n
Header always set X-XSS-Protection \"1; mode=block\"<\/code><\/pre>\n\n\n\nFor Nginx.<\/p>\n\n\n\n
add_header X-XSS-Protection \"1; mode=block\" always;<\/code><\/pre>\n\n\n\nApply the changes by restarting your web server.<\/p>\n\n\n\n
5. Feature-Policy<\/h3>\n\n\n\n
This allows or denies the browser features whether in its frame or iframe. The header can be configured to look like this:<\/p>\n\n\n\n
For Apache:<\/p>\n\n\n\n
add_header Feature-Policy \"autoplay 'none'; camera 'none'\" always;<\/code><\/pre>\n\n\n\nFor Nginx<\/p>\n\n\n\n
header always set Feature-Policy \"autoplay 'none'; camera 'none'\"<\/code><\/pre>\n\n\n\n6. X-Content-Type-Options<\/h3>\n\n\n\n
This header is also known as the Browser Sniffing Protection<\/em><\/strong>. It is used to instruct the browser to follow the MIME types indicated in the header. It helps mitigate the danger of drive-by downloads. The header could look as below:<\/p>\n\n\n\n
For Apache<\/p>\n\n\n\n
header always set X-Content-Type-Options \"nosniff\"<\/code><\/pre>\n\n\n\nFor Nginx<\/p>\n\n\n\n
X-Content-Type-Options: nosniff<\/code><\/pre>\n\n\n\n7. Expect-CT<\/h3>\n\n\n\n
This header prevents any suspected certificates from being used. It allows the site to report and enable the certificate transparency requirements. When this header is enforced, the browser is requested to verify if the certificate appears in the public CT logs<\/a>.<\/p>\n\n\n\n
This header can be configured as below:<\/p>\n\n\n\n
For Apache<\/p>\n\n\n\n
header always set Expect-CT \"max-age=604800, enforce, report-uri=\"https:\/\/www.example.com\/report\"<\/code><\/pre>\n\n\n\nFor Nginx.<\/p>\n\n\n\n
add_header Expect-CT \"max-age=604800, enforce, report-uri='https:\/\/www.example.com\/report' always;<\/code><\/pre>\n\n\n\n8. Permissions-Policy<\/h3>\n\n\n\n
This is a new header, it is used to control the APIs and features that can be used in a browser. This header can be enabled on the webserver as below:<\/p>\n\n\n\n
For Apache.<\/p>\n\n\n\n
Header always set Permissions-Policy \"geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()\"<\/code><\/pre>\n\n\n\nFor Nginx.<\/p>\n\n\n\n
add_header Permissions-Policy \"geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()\";<\/code><\/pre>\n\n\n\nSave the changes and restart the webserver.<\/p>\n\n\n\n
How to check your HTTP security headers<\/h2>\n\n\n\n
There are many ways you can check HTTP security headers on a site. Some of the methods covered here are:<\/p>\n\n\n\n
1. Chrome DevTools response headers<\/h3>\n\n\n\n
This is a quick way to access the HTTP security headers. Navigate to Settings<\/strong>>More<\/strong> Settings<\/strong> > Developer Tools<\/strong>. While here, view response headers in the Network panel. Press Ctrl + R <\/strong>(Cmd + R) to refresh the page. Now click on the desired URL and view headers.<\/p>\n\n\n\n
![\"\"](\"https:\/\/computingforgeeks.com\/wp-content\/uploads\/2022\/04\/Configure-HTTP-Security-Headers-in-Nginx-Apache-HTTPD-Server-1024x690.png\" "\\"\\"")
<\/figure>\n\n\n\n2. KeyCDN’s HTTP Header Checker tool<\/h3>\n\n\n\n
KeyCDN provides an online tool that can be used to check HTTP security headers. To use the tool, click on the link HTTP Header Checker<\/a> and provide the URL to check the headers.<\/p>\n\n\n\n
![\"\"](\"https:\/\/computingforgeeks.com\/wp-content\/uploads\/2022\/04\/Configure-HTTP-Security-Headers-in-Nginx-Apache-HTTPD-Server-1.png\" "\\"\\"")
<\/figure>\n\n\n\nClick check<\/strong> to provide an HTTP response as below.<\/p>\n\n\n\n
![\"\"](\"https:\/\/computingforgeeks.com\/wp-content\/uploads\/2022\/04\/Configure-HTTP-Security-Headers-in-Nginx-Apache-HTTPD-Server-2.png\" "\\"\\"")
<\/figure>\n\n\n\n3. Security Headers.io<\/h3>\n\n\n\n
This is also another tool one can use to check HTTP security headers. This tool developed by Scott Helme<\/strong> scans and gives the website a score based on the available HTTPS headers. The score ranges from A+ to grade F. To use the tool, click on the link Security Headers<\/a><\/p>\n\n\n\n
![\"\"](\"https:\/\/computingforgeeks.com\/wp-content\/uploads\/2022\/04\/Configure-HTTP-Security-Headers-in-Nginx-Apache-HTTPD-Server-3-1024x569.png\" "\\"\\"")
<\/figure>\n\n\n\nProvide the URL of the site and scan it. Below is a summary report for a grade C <\/em><\/strong>site.<\/p>\n\n\n\n
![\"\"](\"https:\/\/computingforgeeks.com\/wp-content\/uploads\/2022\/04\/Configure-HTTP-Security-Headers-in-Nginx-Apache-HTTPD-Server-4.png\" "\\"\\"")
<\/figure>\n\n\n\nI can improve the site to grade A+ by setting the required headers. The grade A site results will be:<\/p>\n\n\n\n
![\"\"](\"https:\/\/computingforgeeks.com\/wp-content\/uploads\/2022\/04\/Configure-HTTP-Security-Headers-in-Nginx-Apache-HTTPD-Server-5.png\" "\\"\\"")
<\/figure>\n\n\n\nClosing Thoughts.<\/h2>\n\n\n\n
That marks the end of this amazing guide. At this point, you can harden the security of your website using the knowledge gathered from this site. I hope this was significant to you.<\/p>\n\n\n\n
Related posts.<\/p>\n\n\n\n
- \n
- Best CompTIA Security+ (SY0-601) Certification Books<\/a><\/li>\n\n\n\n
- Configuring oVirt \/ RHEV Manager Certificate Security on browser<\/a><\/li>\n\n\n\n
- Install and Use WPScan – WordPress security scanner<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"
HTTP Security Headers play an important role in the website’s security. They provide another level of security that helps mitigate several attacks and vulnerabilities that include SQL injection, XSS, clickjacking e.t.c When a website is visited, the page is requested by the browser from the webserver. This server responds by sending content with HTTP response … Read more<\/a><\/p>\n","protected":false},"author":21,"featured_media":117722,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[299,50,75,2666,349],"tags":[37508],"class_list":["post-117709","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-how-to","category-linux-tutorials","category-security","category-tips-tricks","category-web-hosting","tag-configure-http-security-headers"],"_links":{"self":[{"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/posts\/117709","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/users\/21"}],"replies":[{"embeddable":true,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/comments?post=117709"}],"version-history":[{"count":1,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/posts\/117709\/revisions"}],"predecessor-version":[{"id":164233,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/posts\/117709\/revisions\/164233"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/media\/117722"}],"wp:attachment":[{"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/media?parent=117709"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/categories?post=117709"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/tags?post=117709"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
- Configuring oVirt \/ RHEV Manager Certificate Security on browser<\/a><\/li>\n\n\n\n
- X-XSS-Protection: 1<\/strong> – enforces the header but only sanitizes potential malicious scripts.<\/li>\n\n\n\n
- SAMEORIGIN<\/strong> – allows iframe features to be used by anyone from the same origin.<\/li>\n\n\n\n
- DENY<\/strong> – This option disables the iframe features completely.<\/li>\n\n\n\n