Hardening HTTP Security Headers via .htaccess

Troubleshooting Analytics on Content Security Policy

Hardening HTTP Security Headers via .htaccess

Before discussing about Hardening Security HTTP Headers via .htaccess, I will give a brief explanation of the Content Security Policy.

What is The Content Security Policy?

Content Security Policy itself is one component of the hardening http security headers. And now I will discuss what needs to be set on http headers so the server more secure. I will try in wordpress on Apache Web Server. In this tutorial I will write any functions as well as how to apply via .htaccess.

  • Content Security Policy (CSP)

CSP helps us to prevent the exploitation of the type of script execution xss and some other kinds of ignorant external js overlay etc. For application, adjust to your Website. by default CSP code like this:

Header set Content-Security-Policy “default-src ‘self’;”

But encountered many problems such as Tracking Analytics, Webmasters, Google Index, Bing, etc.

HTTP Security Headers via .htaccess
Trouble Analytics on CSP

For Implementation, if your site has a lot of CSS, Javascript like this:

Header set Content-Security-Policy: script-src https: ‘unsafe-inline’ ‘unsafe-eval’; style-src https: ‘unsafe-inline’

code ‘unsafe-inline’ ‘unsafe-eval’ let plugins are installed by giving permission to index your website, for more detail, please refer to the CSP or Developers Google, because each different website application.

  • HTTP Strict Transport Security

The website has always been very dependent on 301/302 redirect to take the user from browsing over HTTP to HTTPS. By default to HTTP browser when you type an address like asepms.com. HSTS allows you to tell the browser that you always want users to connect using HTTPS instead of HTTP.

This is useful each bookmark, This ensures that the connection can not build through insecure HTTP connections that could be vulnerable to attack, link or address types of users will be forced to use HTTPS, even if they specify HTTP. For application like this:

Header set Strict-Transport-Security “max-age=10886400; includeSubDomains; preload” env=HTTPS
  • X-Frame-Options

The X-Frame-Options header (RFC), or XFO, protecting your visitors against clickjacking attacks. An attacker can load an iframe on their site and set up your site as a source, for example: <iframe src=”https://www.asepms.com”></iframe>

Using some nasty CSS, they can hide in the background of your site and create multiple layers of searching for the original. When your visitors click on what they think is a malicious link, they are actually clicking on a link on a Web site in the background. That probably does not seem so bad until we realized that the browser will execute the request in the context of the user, which can include those who are logged in and authenticated to your site, the threat is hidden right in front of you.

Header set X-Frame-Options DENY
  • X-XSS-Protection

XSS Protection already supported defult for modern browsers. But if you add this rule to the http-headers, then the older browser will be forced to block the attacks xss. This header is used to configure the built in reflective XSS protection found in Internet Explorer, Chrome and Safari (Webkit).

Header set X-XSS-Protection “1; mode=block”
  • Public-Key-Pins

This tweaking may be very useful for sites online shopping and internet banking. public-key-pin tell the web browser to link public keys with specific web server to prevent MITM attacks are dangerous. To know your public key pin, create your HPKP hash here, and analyse your HPKP here.

(See also: Troubleshooting analytics on Content Security Policy via .htaccess)

Then set to .htaccess like this:

Header always set Public-Key-Pins ‘pin-sha256=”SQkvA7MK9PK6EpZrikWevVze9o0T7y7BhCXYCCrEL98=”; \
pin-sha256=”klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY=”; \
pin-sha256=”grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME=”; \
pin-sha256=”lCppFqbkrlJ3EcVFAkeip0+44VaoJUymbnOaEUk7tEU=”; \
pin-sha256=”ipMu2Xu72A086/35thucbjLfrPaSjuw4HIjSWsxqkb8=”; \
pin-sha256=”+5JdLySIa9rS6xJM+2KHN9CatGKln78GjnDpf4WmI3g=”; \
pin-sha256=”MWfCxyqG2b5RBmYFQuLllhQvYZ3mjZghXTRn9BL9q10=”; \
includeSubdomains; max-age=31536000′ always;
  • X-Content-Type-Options

This prevents Internet Explorer and Google Chrome do the sniffing of the types of files that we access. This reduces the risk of users upload unauthorized files to our server. Such as manipulating the file name example: (image.jpg), which was granted and executed as a backdoor or SQL Injection normally. Applying .htaccess:

Header set X-Content-Type-Options “nosniff”

Referrer Policy

Spec for Policy Steering has been a W3C Candidate Recommendation since January 26, 2017 and can be found here but going to cover everything in this blog to save the trouble. Steering policies issued through HTTP response header with the same name, Steering-policy.

The empty string

An empty string value in the header Referring policy indicates that the site does not want to establish a Steering Policy here and browser must retreat to a Policy Steering established through other mechanisms elsewhere. This can include HTML <meta> element, attribute referrerpolicy on elements such as <a> and <link> or rel = “noreferrer” keywords in the tag <a> well.

Issuing this policy effectively will have an impact, but only confirms that the site has been deliberately omitted it. You can even set your Steering Policy through the header Content Security Policy, if you like, for application like this:

Header set Referrer-Policy: strict-origin-when-cross-origin

This will not allow information to be sent when the scheme downgrade occurs (user navigates from HTTPS to HTTP).

After all it gives a chance, you can do testing on how secure the response http-headers you through one of the following links:



As we know, do hardening of the servers that we manage is important. It is very helpful to prevent attacks from those who are not responsible. Okay so brief tutorial this time, if there is asked please comment or join the forum asepms.com, maybe useful.

Hardening HTTP Security Headers via .htaccess
4.8 (96.54%) 52 votes

Source by Scotthelme.co.uk

Follow Me

Asep Ulchre

This website written by single admin, he's like coffee, like the python programming language and art lovers.
Follow Me
%d bloggers like this: