HTTP Security Headers in Apache

HTTP offers several headers that can help protect website visitors. OWASP has a great description of them here. Based on that I’d like to quickly share a few configuration changes I make to Apache web servers.

In the httpd.conf I add the following directives to the document root <Directory> section.

 Header always append X-Frame-Options DENY
 Header always append X-XSS-Protection "1; mode=block"
 Header always append X-Content-Type-Options nosniff
 Header always append Strict-Transport-Security max-age=16070400
 Header always append Content-Security-Policy "default-src 'self'; script-src 'self' https://ajax.googleapis.com"

In addition I make sure that ServerTokens is set to Prod. This prevents Apache from publishing it’s version and other information web users do not need to know.

Next in php.ini I make sure the following options are set.

expose_php=Off
session.cookie_httponly=1
session.cookie_secure=1

There are other steps one should take for securely configuring an Apache webserver. This only addresses the server’s response headers.

Leave a Reply

Your email address will not be published. Required fields are marked *