HTTP offers several headers that can help protect website visitors. OWASP has a great description of them here. Based on that I’d like to quickly share a few configuration changes I make to Apache web servers.
In the httpd.conf I add the following directives to the document root <Directory> section.
Header always append X-Frame-Options DENY Header always append X-XSS-Protection "1; mode=block" Header always append X-Content-Type-Options nosniff Header always append Strict-Transport-Security max-age=16070400 Header always append Content-Security-Policy "default-src 'self'; script-src 'self' https://ajax.googleapis.com"
In addition I make sure that ServerTokens is set to Prod. This prevents Apache from publishing it’s version and other information web users do not need to know.
Next in php.ini I make sure the following options are set.
expose_php=Off session.cookie_httponly=1 session.cookie_secure=1
There are other steps one should take for securely configuring an Apache webserver. This only addresses the server’s response headers.
