This is often overlooked, but settings the headers that your server is sending when it replies to a request, will prevent some well-known attacks, or any leak of information.
Hide Apache server version
You mustn't send your Apache version in the request.
sudo nano /etc/apache2/conf-enabled/security.conf # ServerSignature Off # ServerTokens Prod sudo service apache2 restart
|X-Frame-Options header||Prevent anyone to open your website inside an iframe, to avoid the Clickjacking attack.
HTTP Strict Transport Security (HSTS)
Value: you can use
|X-Powered-By||Do not show the PHP version (or the one answering the request) in the request.
Value: instead of "set header_name value", use "unset header".
Prevent the page from loading, if an XSS attack was detected (deprecated and removed, use CSP, you may read MDN notes.
|X-Content-Type-Options||The browser shouldn't interpret the content differently than what's in the "Content-Type" header.
|Referrer-Policy||The referrer is a header telling another website, which website the user is coming from. Internally, this is telling you which page the user is coming from.
You should read this page by MDN to pick your value, the examples are helping.
|Cross-Origin-Resource-Policy||Tell who can read resources (img, scripts).
You can enable or disable features that your website might use (accelerometer, camera, ...). The usual behavior is to disable everything.
The simple version would be
<VirtualHost *:443> # ... Header always set Strict-Transport-Security "max-age=63072000" Header always unset X-Powered-By Header always set X-Frame-Options "deny" # set to 0 # Header always set X-XSS-Protection "1; mode=block" Header always set X-XSS-Protection "0" Header always set X-Content-Type-Options "nosniff" # DO NOT FORGET TO SET Content-Security-Policy (CSP) # you must adapt this (add the host that your website can use) # here is some code, but don't use this code, make yours Header always set Content-Security-Policy "default-src 'none';script-src 'self';style-src 'self';img-src 'self' some_domain_here;" Header always set Referrer-Policy "strict-origin-when-cross-origin" Header always set Cross-Origin-Resource-Policy "same-site" Header always set Permissions-Policy "accelerometer=(),autoplay=(),camera=(),display-capture=(),document-domain=(),encrypted-media=(),fullscreen=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),publickey-credentials-get=(),screen-wake-lock=(),sync-xhr=(self),usb=(),web-share=(),xr-spatial-tracking=()" </VirtualHost>
Best security practices
You can test your headers
- Mozilla Observatory
- Security Headers
- Venom (test internal website, read this gist)
- Postman (software)
curl -I https://memorize.be/(😎, but no advice like others have 😶)
What values should I give to my headers?
- either check the headers of the top websites (enter the command on your PC, the result changed)
- or read OWASP proposal (the page seems a bit old)
Headers in PHP
You can set your headers in PHP
header("Cross-Origin-Resource-Policy: same-site"); header("Referrer-Policy: strict-origin-when-cross-origin"); header("X-XSS-Protection: 1; mode=block"); header("Permissions-Policy: accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()");