The Complete HTTP Header Security Guide

HTTP Header Security Guide

Securing your website is essential for protecting your business and users’ data. One of the key steps in web security is addressing common HTTP misconfigurations, especially in HTTP headers. In this guide, we’ll walk you through the best practices for configuring HTTP headers to help you safeguard your site and prevent potential vulnerabilities.

HTTP Header Security Guide

The HTTP headers provide control over how web content is handled, which helps to stop attacks and enforce secure communications between the server and the user. In this HTTP header security guide, we will cover the most important HTTP headers that you need to set to achieve a high level of security in your site.

Keep in mind that we will focus this on security headers, there’s a lot more headers that are not related to security misconfigurations, but if you want to check them out make sure to visit Mozilla’s MDN Web Docs.

HTTP Strict Transport Security (HSTS)

The first header in our HTTP header security guide is the famous HTTP Strict Transport Security (HSTS), which forces a secure (https) connection to the server. This prevents attacks like protocol downgrading and cookie hijacking.

Header example:

Strict-Transport-Security: max-age=3000000; includeSubDomains;

How to set HSTS in Apache:

Edit your site’s config file:

nano /etc/apache2/sites-available/your_site.conf

Add the following inside the VirtualHost block:

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

Restart Apache:

systemctl restart apache2

Setting HSTS in Nginx:

Edit your site’s config file:

nano /etc/nginx/conf.d/your_site.conf

Add the following inside the server block:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";

Restart Nginx:

systemctl restart nginx

Content Security Policy (CSP)

Content Security Policy controls the resources that the user agent can load for a given page, preventing XSS and injection attacks.

Header example:

Content-Security-Policy: default-src 'self'; script-src 'self' 'https://trusted.domain.com'

How to set CSP in Apache:

Edit your site’s config file:

nano /etc/apache2/sites-available/your_site.conf

Add the following inside the VirtualHost block:

Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'https://trusted.domain.com'"

Restart Apache:

systemctl restart apache2

Configuring CSP in Nginx:

Edit your site’s config file:

nano /etc/nginx/conf.d/your_site.conf

Add the following inside the server block:

add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'https://trusted.cdn.com'";

Restart Nginx:

systemctl restart nginx

X-Frame-Options

Continuing with our HTTP header security guide, we have X-Frame-Options, a header that prevents a webpage from being framed to avoid clickjacking attacks.

Header example:

X-Frame-Options: DENY

Setting up X-Frame-Options in Apache:

Edit your site’s config file:

nano /etc/apache2/sites-available/your_site.conf

Add the following inside the VirtualHost block:

Header always set X-Frame-Options "DENY"

Restart Apache:

systemctl restart apache2

How to add X-Frame-Options to Nginx:

Edit your site’s config file:

nano /etc/nginx/conf.d/your_site.conf

Add the following inside the server block:

add_header X-Frame-Options "DENY";

Restart Nginx:

systemctl restart nginx

X-XSS-Protection

X-XSS-Protection provides cross-site scripting (XSS) filtering in browsers.

Header example:

X-XSS-Protection: 1; mode=block

Adding X-XSS-Protection to Apache:

Edit your site’s config file:

nano /etc/apache2/sites-available/your_site.conf

Add the following inside the VirtualHost block:

Header always set X-XSS-Protection "1; mode=block"

Restart Apache:

systemctl restart apache2

How to configure X-XSS-Protection in Nginx:

Edit your site’s config file:

nano /etc/nginx/conf.d/your_site.conf

Add the following inside the server block:

add_header X-XSS-Protection "1; mode=block";

Restart Nginx:

systemctl restart nginx

X-Content-Type-Options

The X-Content-Type-Options header is another important component of the HTTP header security guide, because it protects us from MIME type sniffing, which enhances security by enforcing the declared content type.

Header example:

X-Content-Type-Options: nosniff

Add X-Content-Type-Options to Apache:

Edit your site’s config file:

nano /etc/apache2/sites-available/your_site.conf

Add the following inside the VirtualHost block:

Header always set X-Content-Type-Options "nosniff"

Restart Apache:

systemctl restart apache2

Enabling X-Content-Type-Options in Nginx:

Edit your site’s config file:

nano /etc/nginx/conf.d/your_site.conf

Add the following inside the server block:

add_header X-Content-Type-Options "nosniff";

Restart Nginx:

systemctl restart nginx

Referrer-Policy

Referrer-Policy indicates how much referrer information should be included with requests.

Header example:

Referrer-Policy: no-referrer

Enable Referrer-Policy in Apache:

Edit your site’s config file:

nano /etc/apache2/sites-available/your_site.conf

Add the following inside the VirtualHost block:

Header always set Referrer-Policy "no-referrer"

Restart Apache:

systemctl restart apache2

Set Referrer-Policy in Nginx:

Edit your site’s config file:

nano /etc/nginx/conf.d/your_site.conf

Add the following inside the server block:

add_header Referrer-Policy "no-referrer";

Restart Nginx:

systemctl restart nginx

Permissions-Policy

Permissions-Policy is the next step in this HTTP header security guide. Permissions-Policy controls access to features and APIs like geolocation, camera, and microphone.

Header example:

Permissions-Policy: geolocation=(), camera=(), microphone=()

Enable Permissions-Policy in Apache:

Edit your site’s config file:

nano /etc/apache2/sites-available/your_site.conf

Add the following inside the VirtualHost block:

Header always set Permissions-Policy "geolocation=(), camera=(), microphone=()"

Restart Apache:

systemctl restart apache2

How to add Permissions-Policy to Nginx:

Edit your site’s config file:

nano /etc/nginx/conf.d/your_site.conf

Add the following inside the server block:

add_header Permissions-Policy "geolocation=(), camera=(), microphone=()";

Restart Nginx:

systemctl restart nginx

HTTP Public Key Pinning (HPKP)

HTTP Public Key Pinning is used to prevent MITM attacks by pinning the server’s public key. Keep in mind that this header is currently deprecated. We have decided to include it in our HTTP header security guide for legacy and documentation purposes.

Header example:

Public-Key-Pins: pin-sha256="base64+primary=="; max-age=2592000; includeSubDomains; report-uri="https://domain.com/hpkp-report"

Setting up HPKP is not recommended due to the risk of site lockout and other security issues. Modern browsers have deprecated support for it.

Cross-Origin Resource Sharing (CORS)

Cross-Origin Resource Sharing controls how resources on your site can be requested from another domain, this adds a layer of security for cross-origin interactions.

Header example:

Access-Control-Allow-Origin: https://trusted-origin-domain.com

How to configure Cross-Origin Resource Sharing in Apache

Edit your site’s config file:

nano /etc/apache2/sites-available/your_site.conf

Add the following inside the VirtualHost block:

Header always set Access-Control-Allow-Origin "https://trusted-origin-domain.com"

Restart Apache:

systemctl restart apache2

Adding Cross-Origin Resource Sharing to Nginx:

Edit your site’s config file:

nano /etc/nginx/conf.d/your_site.conf

Add the following inside the server block:

add_header Access-Control-Allow-Origin "https://trusted-origin-domain.net";

Restart Nginx:

systemctl restart nginx

Cross-Origin Embedder Policy (COEP)

Cross-Origin Embedder Policy ensures that a document is allowed to load only resources that respect the same-origin policy or are marked as cross-origin available.

Header example:

Cross-Origin-Embedder-Policy: require-corp

Setting up Cross-Origin Embedder Policy in Apache:

Edit your site’s config file:

nano /etc/apache2/sites-available/your_site.conf

Add the following inside the VirtualHost block:

Header always set Cross-Origin-Embedder-Policy "require-corp"

Restart Apache:

systemctl restart apache2

Enabling Cross-Origin Embedder Policy in Nginx:

Edit your site’s config file:

nano /etc/nginx/conf.d/your_site.conf

Add the following inside the server block:

add_header Cross-Origin-Embedder-Policy "require-corp";

Restart Nginx:

systemctl restart nginx

Cross-Origin Opener Policy (COOP)

Continuing with our HTTP header security guide, the next one is Cross-Origin Opener Policy, a header that helps to prevent documents from different origins from sharing a browsing context, which shields us against side-channel attacks.

Header example:

Cross-Origin-Opener-Policy: same-origin

Enable Cross-Origin Opener Policy in Apache:

Edit your site’s config file:

nano /etc/apache2/sites-available/your_site.conf

Add the following inside the VirtualHost block:

Header always set Cross-Origin-Opener-Policy "same-origin"

Restart Apache:

systemctl restart apache2

How to configure Cross-Origin Opener Policy in Nginx:

Edit your site’s config file:

nano /etc/nginx/conf.d/your_site.conf

Add the following inside the server block:

add_header Cross-Origin-Opener-Policy "same-origin";

Restart Nginx:

systemctl restart nginx

Cross-Origin Resource Policy (CORP)

Cross-Origin Resource Policy is one of those must-have headers that we have included in this HTTP header security guide. This one restricts the resources a document can request, which increases security by enforcing same-origin or permitted cross-origin requests.

Header example:

Cross-Origin-Resource-Policy: same-origin

How to configure Cross-Origin Resource Policy in Apache:

Edit your site’s config file:

nano /etc/apache2/sites-available/your_site.conf

Add the following inside the VirtualHost block:

Header always set Cross-Origin-Resource-Policy "same-origin"

Restart Apache:

systemctl restart apache2

How to enable Cross-Origin Resource Policy in Nginx:

Edit your site’s config file:

nano /etc/nginx/conf.d/your_site.conf

Add the following inside the server block:

add_header Cross-Origin-Resource-Policy "same-origin";

Restart Nginx:

systemctl restart nginx

Feature-Policy

Feature-Policy has been replaced by Permissions-Policy. It was used to control features and APIs usage on the website. Like HPKP, we have included it in our HTTP header security guide for legacy and documentation purposes.

Header example:

Feature-Policy: geolocation 'self'

Enable Feature-Policy in Apache:

Edit your site’s config file:

nano /etc/apache2/sites-available/your_site.conf

Add the following inside the VirtualHost block:

Header always set Feature-Policy "geolocation 'self'"

Restart Apache:

systemctl restart apache2

How to add Feature-Policy to Nginx:

Edit your site’s config file:

nano /etc/nginx/conf.d/your_site.conf

Add the following inside the server block:

add_header Feature-Policy "geolocation 'self'";

Restart Nginx:

systemctl restart nginx

Expect-CT

Expect-CT allows sites to look into Certificate Transparency (CT) logs to detect and prevent certificate misissuance.

Header example:

Expect-CT: max-age=86400, enforce, report-uri="https://domain.com/report"

Add Expect-CT to Apache:

Edit your site’s config file:

nano /etc/apache2/sites-available/your_site.conf

Add the following inside the VirtualHost block:

Header always set Expect-CT "max-age=86400, enforce, report-uri='https://domain.com/report'"

Restart Apache:

systemctl restart apache2

How to configure Expect-CT in Nginx:

Edit your site’s config file:

nano /etc/nginx/conf.d/your_site.conf

Add the following inside the server block:

add_header Expect-CT "max-age=86400, enforce, report-uri='https://domain.com/report'";

Restart Nginx:

systemctl restart nginx

Timing-Allow-Origin

The Timing-Allow-Origin header specifies origins that are allowed to see resource timing data, which is used for performance monitoring.

Header example:

Timing-Allow-Origin: *

How to add Timing-Allow-Origin to Apache:

Edit your site’s config file:

nano /etc/apache2/sites-available/your_site.conf

Add the following inside the VirtualHost block:

Header always set Timing-Allow-Origin "*"

Restart Apache:

systemctl restart apache2

Configure Timing-Allow-Origin in Nginx:

Edit your site’s config file:

nano /etc/nginx/conf.d/your_site.conf

Add the following inside the server block:

add_header Timing-Allow-Origin "*";

Restart Nginx:

systemctl restart nginx

Server Signature

An HTTP header security guide can’t fulfill its purposes without mentioning the Server Signature, which hides server details in http responses to prevent information leakage.

How to configure Server Signature in Apache:

Edit Apache’s main config file:

nano /etc/apache2/apache2.conf

Add or modify the following lines:

ServerTokens Prod
ServerSignature Off

Restart Apache:

systemctl restart apache2

Disable Server Signature in Nginx:

Edit Nginx’s main config file:

nano /etc/nginx/nginx.conf

Add or modify the following line inside the http block:

server_tokens off;

Restart Nginx:

systemctl restart nginx

X-Recruiting

To close our HTTP header security guide, we have the famous X-Recruiting header. This one is a non-standard header used to attract developers, often indicating job openings.

Header example:

X-Recruiting: We are hiring! Please visit https://my-domain.com/careers

How to add X-Recruiting-Header to Apache:

Edit your site’s config file:

nano /etc/apache2/sites-available/your_site.conf

Add the following inside the VirtualHost block:

Header always set X-Recruiting "We are hiring! Please visit https://my-domain.com/jobs"

Restart Apache:

systemctl restart apache2

Enable X-Recruiting-Header in Nginx:

Edit your site’s config file:

nano /etc/nginx/conf.d/your_site.conf

Add the following inside the server block:

add_header X-Recruiting "We are hiring! Please visit https://my-domain.com/jobs";

Restart Nginx:

systemctl restart nginx

Conclusion

This HTTP header security guide makes clear that setting up the HTTP headers is one of the most important steps to protect your website. Each header serves a specific purpose and, collectively, all of them will fortify your site’s defense against many threats.

Before setting them up, make sure that you carefully evaluate the implications of each header and configure them to fit your security requirements. Our HTTP header security guide also features links that will lead you to in-depth articles with more information on each header, be sure to check them out.

Scroll to Top