Scan on https://securityheaders.com/
More info: https://htaccessbook.com/important-security-headers/
In NL: https://netspecialist.nl/security/516-security-headers
Set this in .htaccess
Code from Mario Guagliardo on Facebook.
<ifModule mod_headers.c>
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains" env=HTTPS
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options nosniff
Header set X-Frame-Options SAMEORIGIN
Header set Referrer-Policy: no-referrer-when-downgrade
</ifModule>Code language: JavaScript (javascript)* includeSubDomains may be ommited if they should not load over https
Header set Strict-Transport-Security “max-age=31536000” env=HTTPS
This is the HTTP Strict Transport Security (HSTS) setting. This protect websites against man-in-the-middle attacks such as protocol downgrades and cookie hijacking. It informs browsers on first visit over HTTPS that the site should only be accessed using HTTPS, and that any future attempts to access it using HTTP should automatically be converted to HTTPS.
If you use ‘preload’ even the first visit has to be HTTPS, see https://hstspreload.org/
More info here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
The value is in seconds. 1 or 2 years is recommended. The value is updated each time the browser visits the website. Set to 0 to expire the setting, e.g. when you move the website to a different host.
| 1 minute | 60 |
| 1 hour | 3600 |
| 1 day | 86400 |
| 1 week | 604800 |
| 30 days | 2592000 |
| 1 year | 31536000 |
| 2 years | 63072000 |
Header set X-Frame-Options SAMEORIGIN
Prevents that your website is being loaded in an iframe. Two values:
- SAMEORIGIN: use this if your pages may only be embedded on your own website. You need this if you want to use the Divi editor in the backend
- DENY: use this if it is not allowed to embed your pages anywhere, not even on your own site.
Header set X-XSS-Protection “1; mode=block”
This code instructs supportive browsers to block any requests containing malicious scripts (Cross Site Scripting).
Header set X-Content-Type-Options nosniff
Enables supportive browsers to protect against MIME-type sniffing exploits. It does this by disabling the browser’s MIME sniffing feature, and forcing it to recognize the MIME type sent by the server. This code instructs supportive browsers to use the MIME type declared by the origin server.
Header set Referrer-Policy: no-referrer-when-downgrade
The Referer header contains information about where a request is coming from. So for if you are at example.com and click a link from there to domain.tld, the Referer header would specify example.com as the “referring” URL. With this setting you can prevent that this referrer info is passed along. The advice is to set this so that it won’t pass referrer info ifyour site uses HTTPS and the link target website uses HTTP. This is more about privacy then security.
Content-Security-Policy
Extra protection against Cross Site Scripting. It allows you to put the domain of script resources on a black or white list.
This is a difficult one to use because you exactly need to know what resources your website uses (like scripts, fonts etc. that the theme or browser loads from other domains. Therefore this setting is not included in the example above.
Permissions-Policy
This allows a site to control which features (camera, microphone, payment requests, accelerometer, autoplay etc) and APIs can be used in the browser. Gives security in case a hacker has added something to the website to enable a feature.
This is a name change for Feature Policy, it has the same functionality but it slightly different format.
More info: https://scotthelme.co.uk/goodbye-feature-policy-and-hello-permissions-policy/
Feature Policy
This allows a site to control which features (camera, accelerometer, autoplay etc) and APIs can be used in the browser. Gives security in case a hacker has added something to the website to enable a feature.
More info: https://scotthelme.co.uk/a-new-security-header-feature-policy/