{"id":503,"date":"2024-07-13T22:09:50","date_gmt":"2024-07-13T22:09:50","guid":{"rendered":"https:\/\/protocolguard.com\/resources\/?p=503"},"modified":"2024-12-14T20:50:56","modified_gmt":"2024-12-14T20:50:56","slug":"http-header-security-guide","status":"publish","type":"post","link":"https:\/\/protocolguard.com\/resources\/http-header-security-guide\/","title":{"rendered":"The Complete HTTP Header Security Guide"},"content":{"rendered":"<div id=\"bsf_rt_marker\"><\/div>\n<p>Securing your website is essential for protecting your business and users&#8217; data. One of the key steps in web security is addressing <a href=\"https:\/\/protocolguard.com\/resources\/top-http-misconfigurations\/\">common HTTP misconfigurations<\/a>, especially in HTTP headers. In this guide, we\u2019ll walk you through the best practices for configuring HTTP headers to help you safeguard your site and prevent potential vulnerabilities.<\/p>\n\n\n\n<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h2>Table of Contents<\/h2><nav><ul><li><a href=\"#http-header-security-guide\">HTTP Header Security Guide<\/a><ul><li><a href=\"#http-strict-transport-security-hsts\">HTTP Strict Transport Security (HSTS)<\/a><\/li><li><a href=\"#content-security-policy-csp\">Content Security Policy (CSP)<\/a><\/li><li><a href=\"#x-frame-options\">X-Frame-Options<\/a><\/li><li><a href=\"#x-xss-protection\">X-XSS-Protection<\/a><\/li><li><a href=\"#x-content-type-options\">X-Content-Type-Options<\/a><\/li><li><a href=\"#referrer-policy\">Referrer-Policy<\/a><\/li><li><a href=\"#permissions-policy\">Permissions-Policy<\/a><\/li><li><a href=\"#http-public-key-pinning-hpkp\">HTTP Public Key Pinning (HPKP)<\/a><\/li><li><a href=\"#cross-origin-resource-sharing-cors\">Cross-Origin Resource Sharing (CORS)<\/a><\/li><li><a href=\"#cross-origin-embedder-policy-coep\">Cross-Origin Embedder Policy (COEP)<\/a><\/li><li><a href=\"#cross-origin-opener-policy-coop\">Cross-Origin Opener Policy (COOP)<\/a><\/li><li><a href=\"#cross-origin-resource-policy-corp\">Cross-Origin Resource Policy (CORP)<\/a><\/li><li><a href=\"#feature-policy\">Feature-Policy<\/a><\/li><li><a href=\"#expect-ct\">Expect-CT<\/a><\/li><li><a href=\"#timing-allow-origin\">Timing-Allow-Origin<\/a><\/li><li><a href=\"#server-signature\">Server Signature<\/a><\/li><li><a href=\"#x-recruiting\">X-Recruiting<\/a><\/li><\/ul><\/li><li><a href=\"#conclusion\">Conclusion<\/a><\/li><\/ul><\/nav><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"http-header-security-guide\">HTTP Header Security Guide<\/h2>\n\n\n\n<p>The <a href=\"https:\/\/protocolguard.com\/resources\/what-are-http-headers\/\" data-type=\"link\" data-id=\"https:\/\/protocolguard.com\/resources\/what-are-http-headers\/\">HTTP headers provide control over how web content is handled<\/a>, which helps to stop attacks and enforce secure communications between the server and the user. In this HTTP header security guide, we will cover the most important HTTP headers that you need to set to achieve a high level of security in your site.<\/p>\n\n\n\n<p>Keep in mind that we will focus this on security headers, there&#8217;s a lot more headers that are not related to <a href=\"https:\/\/protocolguard.com\/resources\/security-misconfigurations\/\" data-type=\"link\" data-id=\"https:\/\/protocolguard.com\/resources\/security-misconfigurations\/\">security misconfigurations<\/a>, but if you want to check them out make sure to visit <a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Headers\" target=\"_blank\" rel=\"noopener\">Mozilla&#8217;s MDN Web Docs<\/a>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"http-strict-transport-security-hsts\">HTTP Strict Transport Security (HSTS)<\/h3>\n\n\n\n<p>The first header in our HTTP header security guide is the famous <a href=\"https:\/\/protocolguard.com\/resources\/what-is-hsts\/\">HTTP Strict Transport Security (HSTS)<\/a>, which forces a secure (https) connection to the server. This prevents attacks like protocol downgrading and cookie hijacking.<\/p>\n\n\n\n<p>Header example:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Strict-Transport-Security: max-age=3000000; includeSubDomains;<\/pre>\n\n\n\n<p>How to set HSTS in Apache:<\/p>\n\n\n\n<p>Edit your site&#8217;s config file:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nano \/etc\/apache2\/sites-available\/your_site.conf<\/pre>\n\n\n\n<p>Add the following inside the VirtualHost block:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Header always set Strict-Transport-Security \"max-age=31536000; includeSubDomains; preload\"<\/pre>\n\n\n\n<p>Restart Apache:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">systemctl restart apache2<\/pre>\n\n\n\n<p>Setting HSTS in Nginx:<\/p>\n\n\n\n<p>Edit your site&#8217;s config file:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nano \/etc\/nginx\/conf.d\/your_site.conf<\/pre>\n\n\n\n<p>Add the following inside the server block:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">add_header Strict-Transport-Security \"max-age=31536000; includeSubDomains; preload\";<\/pre>\n\n\n\n<p>Restart Nginx:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">systemctl restart nginx<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"content-security-policy-csp\">Content Security Policy (CSP)<\/h3>\n\n\n\n<p><a href=\"https:\/\/protocolguard.com\/resources\/what-is-the-csp-header\/\">Content Security Policy<\/a> controls the resources that the user agent can load for a given page, preventing XSS and injection attacks.<\/p>\n\n\n\n<p>Header example:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Content-Security-Policy: default-src 'self'; script-src 'self' 'https:\/\/trusted.domain.com'<\/pre>\n\n\n\n<p>How to set CSP in Apache:<\/p>\n\n\n\n<p>Edit your site&#8217;s config file:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nano \/etc\/apache2\/sites-available\/your_site.conf<\/pre>\n\n\n\n<p>Add the following inside the VirtualHost block:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Header always set Content-Security-Policy \"default-src 'self'; script-src 'self' 'https:\/\/trusted.domain.com'\"<\/pre>\n\n\n\n<p>Restart Apache:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">systemctl restart apache2<\/pre>\n\n\n\n<p>Configuring CSP in Nginx:<\/p>\n\n\n\n<p>Edit your site&#8217;s config file:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nano \/etc\/nginx\/conf.d\/your_site.conf<\/pre>\n\n\n\n<p>Add the following inside the server block:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">add_header Content-Security-Policy \"default-src 'self'; script-src 'self' 'https:\/\/trusted.cdn.com'\";<\/pre>\n\n\n\n<p>Restart Nginx:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">systemctl restart nginx<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"x-frame-options\">X-Frame-Options<\/h3>\n\n\n\n<p>Continuing with our HTTP header security guide, we have <a href=\"https:\/\/protocolguard.com\/resources\/what-is-the-x-frame-options-header\/\">X-Frame-Options<\/a>, a header that prevents a webpage from being framed to avoid clickjacking attacks.<\/p>\n\n\n\n<p>Header example:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">X-Frame-Options: DENY<\/pre>\n\n\n\n<p>Setting up X-Frame-Options in Apache:<\/p>\n\n\n\n<p>Edit your site&#8217;s config file:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nano \/etc\/apache2\/sites-available\/your_site.conf<\/pre>\n\n\n\n<p>Add the following inside the VirtualHost block:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Header always set X-Frame-Options \"DENY\"<\/pre>\n\n\n\n<p>Restart Apache:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">systemctl restart apache2<\/pre>\n\n\n\n<p>How to add X-Frame-Options to Nginx:<\/p>\n\n\n\n<p>Edit your site&#8217;s config file:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nano \/etc\/nginx\/conf.d\/your_site.conf<\/pre>\n\n\n\n<p>Add the following inside the server block:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">add_header X-Frame-Options \"DENY\";<\/pre>\n\n\n\n<p>Restart Nginx:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">systemctl restart nginx<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"x-xss-protection\">X-XSS-Protection<\/h3>\n\n\n\n<p><a href=\"https:\/\/protocolguard.com\/resources\/what-is-the-x-xss-protection-header\/\">X-XSS-Protection<\/a> provides cross-site scripting (XSS) filtering in browsers.<\/p>\n\n\n\n<p>Header example:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">X-XSS-Protection: 1; mode=block<\/pre>\n\n\n\n<p>Adding X-XSS-Protection to Apache:<\/p>\n\n\n\n<p>Edit your site&#8217;s config file:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nano \/etc\/apache2\/sites-available\/your_site.conf<\/pre>\n\n\n\n<p>Add the following inside the VirtualHost block:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Header always set X-XSS-Protection \"1; mode=block\"<\/pre>\n\n\n\n<p>Restart Apache:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">systemctl restart apache2<\/pre>\n\n\n\n<p>How to configure X-XSS-Protection in Nginx:<\/p>\n\n\n\n<p>Edit your site&#8217;s config file:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nano \/etc\/nginx\/conf.d\/your_site.conf<\/pre>\n\n\n\n<p>Add the following inside the server block:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">add_header X-XSS-Protection \"1; mode=block\";<\/pre>\n\n\n\n<p>Restart Nginx:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">systemctl restart nginx<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"x-content-type-options\">X-Content-Type-Options<\/h3>\n\n\n\n<p>The <a href=\"https:\/\/protocolguard.com\/resources\/what-is-x-content-type-options\/\">X-Content-Type-Options<\/a> header is another important component of the HTTP header security guide, because it protects us from MIME type sniffing, which enhances security by enforcing the declared content type.<\/p>\n\n\n\n<p>Header example:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">X-Content-Type-Options: nosniff<\/pre>\n\n\n\n<p>Add X-Content-Type-Options to Apache:<\/p>\n\n\n\n<p>Edit your site&#8217;s config file:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nano \/etc\/apache2\/sites-available\/your_site.conf<\/pre>\n\n\n\n<p>Add the following inside the VirtualHost block:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Header always set X-Content-Type-Options \"nosniff\"<\/pre>\n\n\n\n<p>Restart Apache:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">systemctl restart apache2<\/pre>\n\n\n\n<p>Enabling X-Content-Type-Options in Nginx:<\/p>\n\n\n\n<p>Edit your site&#8217;s config file:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nano \/etc\/nginx\/conf.d\/your_site.conf<\/pre>\n\n\n\n<p>Add the following inside the server block:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">add_header X-Content-Type-Options \"nosniff\";<\/pre>\n\n\n\n<p>Restart Nginx:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">systemctl restart nginx<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"referrer-policy\">Referrer-Policy<\/h3>\n\n\n\n<p><a href=\"https:\/\/protocolguard.com\/resources\/what-is-referrer-policy\/\">Referrer-Policy<\/a> indicates how much referrer information should be included with requests.<\/p>\n\n\n\n<p>Header example:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Referrer-Policy: no-referrer<\/pre>\n\n\n\n<p>Enable Referrer-Policy in Apache:<\/p>\n\n\n\n<p>Edit your site&#8217;s config file:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nano \/etc\/apache2\/sites-available\/your_site.conf<\/pre>\n\n\n\n<p>Add the following inside the VirtualHost block:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Header always set Referrer-Policy \"no-referrer\"<\/pre>\n\n\n\n<p>Restart Apache:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">systemctl restart apache2<\/pre>\n\n\n\n<p>Set Referrer-Policy in Nginx:<\/p>\n\n\n\n<p>Edit your site&#8217;s config file:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nano \/etc\/nginx\/conf.d\/your_site.conf<\/pre>\n\n\n\n<p>Add the following inside the server block:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">add_header Referrer-Policy \"no-referrer\";<\/pre>\n\n\n\n<p>Restart Nginx:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">systemctl restart nginx<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"permissions-policy\">Permissions-Policy<\/h3>\n\n\n\n<p><a href=\"https:\/\/protocolguard.com\/resources\/what-is-permissions-policy\/\">Permissions-Policy<\/a> is the next step in this HTTP header security guide. Permissions-Policy controls access to features and APIs like geolocation, camera, and microphone.<\/p>\n\n\n\n<p>Header example:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Permissions-Policy: geolocation=(), camera=(), microphone=()<\/pre>\n\n\n\n<p>Enable Permissions-Policy in Apache:<\/p>\n\n\n\n<p>Edit your site&#8217;s config file:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nano \/etc\/apache2\/sites-available\/your_site.conf<\/pre>\n\n\n\n<p>Add the following inside the VirtualHost block:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Header always set Permissions-Policy \"geolocation=(), camera=(), microphone=()\"<\/pre>\n\n\n\n<p>Restart Apache:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">systemctl restart apache2<\/pre>\n\n\n\n<p>How to add Permissions-Policy to Nginx:<\/p>\n\n\n\n<p>Edit your site&#8217;s config file:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nano \/etc\/nginx\/conf.d\/your_site.conf<\/pre>\n\n\n\n<p>Add the following inside the server block:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">add_header Permissions-Policy \"geolocation=(), camera=(), microphone=()\";<\/pre>\n\n\n\n<p>Restart Nginx:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">systemctl restart nginx<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"http-public-key-pinning-hpkp\">HTTP Public Key Pinning (HPKP)<\/h3>\n\n\n\n<p><a href=\"https:\/\/protocolguard.com\/resources\/http-public-key-pinning\/\">HTTP Public Key Pinning<\/a> is used to prevent MITM attacks by pinning the server\u2019s public key. Keep in mind that this header is currently deprecated. We have decided to include it in our HTTP header security guide for legacy and documentation purposes.<\/p>\n\n\n\n<p>Header example:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Public-Key-Pins: pin-sha256=\"base64+primary==\"; max-age=2592000; includeSubDomains; report-uri=\"https:\/\/domain.com\/hpkp-report\"<\/pre>\n\n\n\n<p>Setting up HPKP is not recommended due to the risk of site lockout and other security issues. Modern browsers have deprecated support for it.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"cross-origin-resource-sharing-cors\">Cross-Origin Resource Sharing (CORS)<\/h3>\n\n\n\n<p><a href=\"https:\/\/protocolguard.com\/resources\/cross-origin-resource-sharing-cors\/\">Cross-Origin Resource Sharing<\/a> controls how resources on your site can be requested from another domain, this adds a layer of security for cross-origin interactions.<\/p>\n\n\n\n<p>Header example:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Access-Control-Allow-Origin: https:\/\/trusted-origin-domain.com<\/pre>\n\n\n\n<p>How to configure Cross-Origin Resource Sharing in Apache<\/p>\n\n\n\n<p>Edit your site&#8217;s config file:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nano \/etc\/apache2\/sites-available\/your_site.conf<\/pre>\n\n\n\n<p>Add the following inside the VirtualHost block:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Header always set Access-Control-Allow-Origin \"https:\/\/trusted-origin-domain.com\"<\/pre>\n\n\n\n<p>Restart Apache:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">systemctl restart apache2<\/pre>\n\n\n\n<p>Adding Cross-Origin Resource Sharing to Nginx:<\/p>\n\n\n\n<p>Edit your site&#8217;s config file:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nano \/etc\/nginx\/conf.d\/your_site.conf<\/pre>\n\n\n\n<p>Add the following inside the server block:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">add_header Access-Control-Allow-Origin \"https:\/\/trusted-origin-domain.net\";<\/pre>\n\n\n\n<p>Restart Nginx:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">systemctl restart nginx<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"cross-origin-embedder-policy-coep\">Cross-Origin Embedder Policy (COEP)<\/h3>\n\n\n\n<p><a href=\"https:\/\/protocolguard.com\/resources\/cross-origin-embedder-policy\/\">Cross-Origin Embedder Policy<\/a> ensures that a document is allowed to load only resources that respect the same-origin policy or are marked as cross-origin available.<\/p>\n\n\n\n<p>Header example:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Cross-Origin-Embedder-Policy: require-corp<\/pre>\n\n\n\n<p>Setting up Cross-Origin Embedder Policy in Apache:<\/p>\n\n\n\n<p>Edit your site&#8217;s config file:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nano \/etc\/apache2\/sites-available\/your_site.conf<\/pre>\n\n\n\n<p>Add the following inside the VirtualHost block:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Header always set Cross-Origin-Embedder-Policy \"require-corp\"<\/pre>\n\n\n\n<p>Restart Apache:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">systemctl restart apache2<\/pre>\n\n\n\n<p>Enabling Cross-Origin Embedder Policy in Nginx:<\/p>\n\n\n\n<p>Edit your site&#8217;s config file:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nano \/etc\/nginx\/conf.d\/your_site.conf<\/pre>\n\n\n\n<p>Add the following inside the server block:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">add_header Cross-Origin-Embedder-Policy \"require-corp\";<\/pre>\n\n\n\n<p>Restart Nginx:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">systemctl restart nginx<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"cross-origin-opener-policy-coop\">Cross-Origin Opener Policy (COOP)<\/h3>\n\n\n\n<p>Continuing with our HTTP header security guide, the next one is <a href=\"https:\/\/protocolguard.com\/resources\/what-is-cross-origin-opener-policy\/\">Cross-Origin Opener Policy<\/a>, a header that helps to prevent documents from different origins from sharing a browsing context, which shields us against side-channel attacks.<\/p>\n\n\n\n<p>Header example:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Cross-Origin-Opener-Policy: same-origin<\/pre>\n\n\n\n<p>Enable Cross-Origin Opener Policy in Apache:<\/p>\n\n\n\n<p>Edit your site&#8217;s config file:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nano \/etc\/apache2\/sites-available\/your_site.conf<\/pre>\n\n\n\n<p>Add the following inside the VirtualHost block:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Header always set Cross-Origin-Opener-Policy \"same-origin\"<\/pre>\n\n\n\n<p>Restart Apache:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">systemctl restart apache2<\/pre>\n\n\n\n<p>How to configure Cross-Origin Opener Policy in Nginx:<\/p>\n\n\n\n<p>Edit your site&#8217;s config file:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nano \/etc\/nginx\/conf.d\/your_site.conf<\/pre>\n\n\n\n<p>Add the following inside the server block:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">add_header Cross-Origin-Opener-Policy \"same-origin\";<\/pre>\n\n\n\n<p>Restart Nginx:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">systemctl restart nginx<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"cross-origin-resource-policy-corp\">Cross-Origin Resource Policy (CORP)<\/h3>\n\n\n\n<p><a href=\"https:\/\/protocolguard.com\/resources\/cross-origin-resource-policy-corp\/\">Cross-Origin Resource Policy<\/a> is one of those must-have headers that we have included in this HTTP header security guide. This one restricts the resources a document can request, which increases security by enforcing same-origin or permitted cross-origin requests.<\/p>\n\n\n\n<p>Header example:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Cross-Origin-Resource-Policy: same-origin<\/pre>\n\n\n\n<p>How to configure Cross-Origin Resource Policy in Apache:<\/p>\n\n\n\n<p>Edit your site&#8217;s config file:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nano \/etc\/apache2\/sites-available\/your_site.conf<\/pre>\n\n\n\n<p>Add the following inside the VirtualHost block:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Header always set Cross-Origin-Resource-Policy \"same-origin\"<\/pre>\n\n\n\n<p>Restart Apache:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">systemctl restart apache2<\/pre>\n\n\n\n<p>How to enable Cross-Origin Resource Policy in Nginx:<\/p>\n\n\n\n<p>Edit your site&#8217;s config file:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nano \/etc\/nginx\/conf.d\/your_site.conf<\/pre>\n\n\n\n<p>Add the following inside the server block:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">add_header Cross-Origin-Resource-Policy \"same-origin\";<\/pre>\n\n\n\n<p>Restart Nginx:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">systemctl restart nginx<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"feature-policy\">Feature-Policy<\/h3>\n\n\n\n<p><a href=\"https:\/\/protocolguard.com\/resources\/feature-policy\/\">Feature-Policy<\/a> has been replaced by Permissions-Policy. It was used to control features and APIs usage on the website. Like HPKP, we have included it in our HTTP header security guide for legacy and documentation purposes.<\/p>\n\n\n\n<p>Header example:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Feature-Policy: geolocation 'self'<\/pre>\n\n\n\n<p>Enable Feature-Policy in Apache:<\/p>\n\n\n\n<p>Edit your site&#8217;s config file:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nano \/etc\/apache2\/sites-available\/your_site.conf<\/pre>\n\n\n\n<p>Add the following inside the VirtualHost block:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Header always set Feature-Policy \"geolocation 'self'\"<\/pre>\n\n\n\n<p>Restart Apache:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">systemctl restart apache2<\/pre>\n\n\n\n<p>How to add Feature-Policy to Nginx:<\/p>\n\n\n\n<p>Edit your site&#8217;s config file:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nano \/etc\/nginx\/conf.d\/your_site.conf<\/pre>\n\n\n\n<p>Add the following inside the server block:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">add_header Feature-Policy \"geolocation 'self'\";<\/pre>\n\n\n\n<p>Restart Nginx:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">systemctl restart nginx<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"expect-ct\">Expect-CT<\/h3>\n\n\n\n<p><a href=\"https:\/\/protocolguard.com\/resources\/what-is-expect-ct\/\">Expect-CT<\/a> allows sites to look into Certificate Transparency (CT) logs to detect and prevent certificate misissuance.<\/p>\n\n\n\n<p>Header example:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Expect-CT: max-age=86400, enforce, report-uri=\"https:\/\/domain.com\/report\"<\/pre>\n\n\n\n<p>Add Expect-CT to Apache:<\/p>\n\n\n\n<p>Edit your site&#8217;s config file:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nano \/etc\/apache2\/sites-available\/your_site.conf<\/pre>\n\n\n\n<p>Add the following inside the VirtualHost block:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Header always set Expect-CT \"max-age=86400, enforce, report-uri='https:\/\/domain.com\/report'\"<\/pre>\n\n\n\n<p>Restart Apache:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">systemctl restart apache2<\/pre>\n\n\n\n<p>How to configure Expect-CT in Nginx:<\/p>\n\n\n\n<p>Edit your site&#8217;s config file:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nano \/etc\/nginx\/conf.d\/your_site.conf<\/pre>\n\n\n\n<p>Add the following inside the server block:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">add_header Expect-CT \"max-age=86400, enforce, report-uri='https:\/\/domain.com\/report'\";<\/pre>\n\n\n\n<p>Restart Nginx:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">systemctl restart nginx<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"timing-allow-origin\">Timing-Allow-Origin<\/h3>\n\n\n\n<p>The <a href=\"https:\/\/protocolguard.com\/resources\/timing-allow-origin\/\">Timing-Allow-Origin<\/a> header specifies origins that are allowed to see resource timing data, which is used for performance monitoring.<\/p>\n\n\n\n<p>Header example:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Timing-Allow-Origin: *<\/pre>\n\n\n\n<p>How to add Timing-Allow-Origin to Apache:<\/p>\n\n\n\n<p>Edit your site&#8217;s config file:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nano \/etc\/apache2\/sites-available\/your_site.conf<\/pre>\n\n\n\n<p>Add the following inside the VirtualHost block:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Header always set Timing-Allow-Origin \"*\"<\/pre>\n\n\n\n<p>Restart Apache:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">systemctl restart apache2<\/pre>\n\n\n\n<p>Configure Timing-Allow-Origin in Nginx:<\/p>\n\n\n\n<p>Edit your site&#8217;s config file:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nano \/etc\/nginx\/conf.d\/your_site.conf<\/pre>\n\n\n\n<p>Add the following inside the server block:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">add_header Timing-Allow-Origin \"*\";<\/pre>\n\n\n\n<p>Restart Nginx:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">systemctl restart nginx<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"server-signature\">Server Signature<\/h3>\n\n\n\n<p>An HTTP header security guide can&#8217;t fulfill its purposes without mentioning the <a href=\"https:\/\/protocolguard.com\/resources\/what-is-server-signature\/\">Server Signature<\/a>, which hides server details in http responses to prevent information leakage.<\/p>\n\n\n\n<p>How to configure Server Signature in Apache:<\/p>\n\n\n\n<p>Edit Apache\u2019s main config file:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nano \/etc\/apache2\/apache2.conf<\/pre>\n\n\n\n<p>Add or modify the following lines:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ServerTokens Prod\nServerSignature Off<\/pre>\n\n\n\n<p>Restart Apache:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">systemctl restart apache2<\/pre>\n\n\n\n<p>Disable Server Signature in Nginx:<\/p>\n\n\n\n<p>Edit Nginx\u2019s main config file:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nano \/etc\/nginx\/nginx.conf<\/pre>\n\n\n\n<p>Add or modify the following line inside the http block:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">server_tokens off;<\/pre>\n\n\n\n<p>Restart Nginx:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">systemctl restart nginx<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"x-recruiting\">X-Recruiting<\/h3>\n\n\n\n<p>To close our HTTP header security guide, we have the famous <a href=\"https:\/\/protocolguard.com\/resources\/what-is-the-x-recruiting-header\/\">X-Recruiting header<\/a>. This one is a non-standard header used to attract developers, often indicating job openings.<\/p>\n\n\n\n<p>Header example:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">X-Recruiting: We are hiring! Please visit https:\/\/my-domain.com\/careers<\/pre>\n\n\n\n<p>How to add X-Recruiting-Header to Apache:<\/p>\n\n\n\n<p>Edit your site&#8217;s config file:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nano \/etc\/apache2\/sites-available\/your_site.conf<\/pre>\n\n\n\n<p>Add the following inside the VirtualHost block:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Header always set X-Recruiting \"We are hiring! Please visit https:\/\/my-domain.com\/jobs\"<\/pre>\n\n\n\n<p>Restart Apache:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">systemctl restart apache2<\/pre>\n\n\n\n<p>Enable X-Recruiting-Header in Nginx:<\/p>\n\n\n\n<p>Edit your site&#8217;s config file:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nano \/etc\/nginx\/conf.d\/your_site.conf<\/pre>\n\n\n\n<p>Add the following inside the server block:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">add_header X-Recruiting \"We are hiring! Please visit https:\/\/my-domain.com\/jobs\";<\/pre>\n\n\n\n<p>Restart Nginx:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">systemctl restart nginx<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"conclusion\">Conclusion<\/h2>\n\n\n\n<p>This HTTP header security guide makes clear that setting up the HTTP headers is one of the most important steps to protect your website. Each header serves a specific purpose and, collectively, all of them will fortify your site\u2019s defense against many threats.<\/p>\n\n\n\n<p>Before setting them up, make sure that you carefully evaluate the implications of each header and configure them to fit your security requirements. Our HTTP header security guide also features links that will lead you to in-depth articles with more information on each header, be sure to check them out.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Securing your website is essential for protecting your business and users&#8217; data. One of the key steps in web security is addressing common HTTP misconfigurations, especially in HTTP headers. In this guide, we\u2019ll walk you through the best practices for configuring HTTP headers to help you safeguard your site and prevent potential vulnerabilities. HTTP Header [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":544,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_uag_custom_page_level_css":"","site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"default","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"set","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[1],"tags":[],"class_list":["post-503","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-http-security"],"uagb_featured_image_src":{"full":["https:\/\/protocolguard.com\/resources\/wp-content\/uploads\/2024\/07\/http-header-security-guide.jpg",1200,628,false],"thumbnail":["https:\/\/protocolguard.com\/resources\/wp-content\/uploads\/2024\/07\/http-header-security-guide-150x150.jpg",150,150,true],"medium":["https:\/\/protocolguard.com\/resources\/wp-content\/uploads\/2024\/07\/http-header-security-guide-300x157.jpg",300,157,true],"medium_large":["https:\/\/protocolguard.com\/resources\/wp-content\/uploads\/2024\/07\/http-header-security-guide-768x402.jpg",768,402,true],"large":["https:\/\/protocolguard.com\/resources\/wp-content\/uploads\/2024\/07\/http-header-security-guide-1024x536.jpg",1024,536,true],"1536x1536":["https:\/\/protocolguard.com\/resources\/wp-content\/uploads\/2024\/07\/http-header-security-guide.jpg",1200,628,false],"2048x2048":["https:\/\/protocolguard.com\/resources\/wp-content\/uploads\/2024\/07\/http-header-security-guide.jpg",1200,628,false]},"uagb_author_info":{"display_name":"ProtocolGuard Research Team","author_link":"https:\/\/protocolguard.com\/resources\/author\/researchadmin\/"},"uagb_comment_info":0,"uagb_excerpt":"Securing your website is essential for protecting your business and users&#8217; data. One of the key steps in web security is addressing common HTTP misconfigurations, especially in HTTP headers. In this guide, we\u2019ll walk you through the best practices for configuring HTTP headers to help you safeguard your site and prevent potential vulnerabilities. HTTP Header&hellip;","_links":{"self":[{"href":"https:\/\/protocolguard.com\/resources\/wp-json\/wp\/v2\/posts\/503","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/protocolguard.com\/resources\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/protocolguard.com\/resources\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/protocolguard.com\/resources\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/protocolguard.com\/resources\/wp-json\/wp\/v2\/comments?post=503"}],"version-history":[{"count":3,"href":"https:\/\/protocolguard.com\/resources\/wp-json\/wp\/v2\/posts\/503\/revisions"}],"predecessor-version":[{"id":861,"href":"https:\/\/protocolguard.com\/resources\/wp-json\/wp\/v2\/posts\/503\/revisions\/861"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/protocolguard.com\/resources\/wp-json\/wp\/v2\/media\/544"}],"wp:attachment":[{"href":"https:\/\/protocolguard.com\/resources\/wp-json\/wp\/v2\/media?parent=503"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/protocolguard.com\/resources\/wp-json\/wp\/v2\/categories?post=503"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/protocolguard.com\/resources\/wp-json\/wp\/v2\/tags?post=503"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}