WEB Course

Headers

Go back

This is often overlooked, but settings the headers that your server is sending when it replies to a request, will prevent some well-known attacks, or any leak of information.


Hide Apache server version

You mustn't send your Apache version in the request.

sudo nano /etc/apache2/conf-enabled/security.conf
# ServerSignature Off
# ServerTokens Prod
sudo service apache2 restart

Common headers

HeaderNotes
X-Frame-Options header Prevent anyone to open your website inside an iframe, to avoid the Clickjacking attack.

Value: deny, sameorigin, or/and you may allow only some domains with allow-from: DOMAIN.

Strict-Transport-Security HTTP Strict Transport Security (HSTS)

According to this article: The server is asking the client to remember that it should never use HTTP for this website (for a period of time), to prevent attacks such as the MITM attack (protocol downgrade attacks and cookie hijacking).

Value: you can use "max-age=63072000"or "max-age=63072000;includeSubDomains;"

X-Powered-By Do not show the PHP version (or the one answering the request) in the request.

Value: instead of "set header_name value", use "unset header".

X-XSS-Protection

Prevent the page from loading, if an XSS attack was detected (deprecated and removed, use CSP, you may read MDN notes.

Value: "1; mode=block". Now, we are settings this to "0".

X-Content-Type-Options The browser shouldn't interpret the content differently than what's in the "Content-Type" header.

Value: "nosniff"

Content-Security-Policy (CSP) Tell, which domain can load CSS, JavaScript, Images, Medias, Fonts, etc.

The best practice would be to disable inline CSS and JavaScript, aside from that, everything is good as long as you are aware of whom you gave access to.

You may check this website header for a short example of allowing inline CSS/JavaScript (🤮, bad, 'unsafe-inline') and allowing some URLs. If you start using this header with your values, you will see errors in the console, letting you know which domains/URLs you will have to add or remove.

You can learn more here, examine yours here, and generate one here.

Referrer-Policy The referrer is a header telling another website, which website the user is coming from. Internally, this is telling you which page the user is coming from.

You should read this page by MDN to pick your value, the examples are helping.

Cross-Origin-Resource-Policy Tell who can read resources (img, scripts).

Values: same-site, same-origin, or cross-origin. You can learn more here.

Permissions-Policy

You can enable or disable features that your website might use (accelerometer, camera, ...). The usual behavior is to disable everything.

The simple version would be accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=(). You can check on the Web if you need explanations about each option.

Some code
<VirtualHost *:443>
    # ...
    Header always set Strict-Transport-Security "max-age=63072000"
    Header always unset X-Powered-By
    Header always set X-Frame-Options "deny"
    # set to 0
    # Header always set X-XSS-Protection "1; mode=block"
    Header always set X-XSS-Protection "0"
    Header always set X-Content-Type-Options "nosniff"

    # DO NOT FORGET TO SET Content-Security-Policy (CSP)
    # you must adapt this (add the host that your website can use)
    # here is some code, but don't use this code, make yours
    Header always set Content-Security-Policy "default-src 'none';script-src 'self';style-src 'self';img-src 'self' some_domain_here;"

    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    Header always set Cross-Origin-Resource-Policy "same-site"
    Header always set Permissions-Policy "accelerometer=(),autoplay=(),camera=(),display-capture=(),document-domain=(),encrypted-media=(),fullscreen=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),publickey-credentials-get=(),screen-wake-lock=(),sync-xhr=(self),usb=(),web-share=(),xr-spatial-tracking=()"
</VirtualHost>

Best security practices

You can test your headers

What values should I give to my headers?

And, you can read OWASP guide about secure headers, as I did to make this page (through, I discovered their guide after doing my headers 😭). You got a quick reference here too by Google.


Headers in PHP

You can set your headers in PHP

header("Cross-Origin-Resource-Policy: same-site");
header("Referrer-Policy: strict-origin-when-cross-origin");
header("X-XSS-Protection: 1; mode=block");
header("Permissions-Policy: accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()");