{"id":3942,"date":"2018-11-21T05:44:52","date_gmt":"2018-11-21T05:44:52","guid":{"rendered":"https:\/\/www.appservgrid.com\/paw92\/?p=3942"},"modified":"2018-12-07T03:03:09","modified_gmt":"2018-12-07T03:03:09","slug":"how-to-secure-website-http-response-headers-htaccess-snippets","status":"publish","type":"post","link":"https:\/\/www.appservgrid.com\/paw92\/index.php\/2018\/11\/21\/how-to-secure-website-http-response-headers-htaccess-snippets\/","title":{"rendered":"How To Secure Website HTTP Response Headers .Htaccess (Snippets)"},"content":{"rendered":"<p>When building a new website, I always make sure it goes through a series of checklists before deploying.<\/p>\n<p>One of the things on my checklist is securing the HTTP response headers.<\/p>\n<p>By securing the HTTP security headers of your website, you\u2019ll prevent common attacks such as:<\/p>\n<ul>\n<li>Framing or clickjacking<\/li>\n<li>Cross-site scripting (XSS)<\/li>\n<li>Drive-by downloads<\/li>\n<li>SSL stripping<\/li>\n<\/ul>\n<p>Before we get started, go ahead and test the security of your website headers right now using: <a href=\"https:\/\/securityheaders.com\/\">securityheaders.com<\/a><\/p>\n<p>NOTE: The following HTTP Security Header snippets are placed in the .htaccess file.<\/p>\n<h2><b>1. The X-Frame-Options Header<\/b><\/h2>\n<p>This snippet will prevent browsers from executing your site in an iframe. Essentially, it\u2019ll prevent attackers from clickjacking, or showing your content on their site in the form of an iframe.<\/p>\n<p>The disadvantage to this however, is iframe will be disabled completely. You won\u2019t be able to view your site from <a href=\"http:\/\/www.stumbleupon.com\/\">stumbleupon<\/a> or use tools such as <a href=\"http:\/\/mobiletest.me\">mobiletest.me<\/a>.<\/p>\n<p>&lt;IfModule mod_headers.c&gt;<br \/>\nHeader always append X-Frame-Options \u201csameorigin&#8221;<br \/>\n&lt;\/IfModule&gt;<\/p>\n<h2><b>2. The X-XSS-Protection Header<\/b><\/h2>\n<p>This snippet will activate the cross-site scripting (XSS) filters used by most modern browsers (ie. Chrome, IE), which helps protect your site from certain cross-site scripting attacks.<\/p>\n<p>&lt;IfModule mod_headers.c&gt;<br \/>\nHeader set X-XSS-Protection &#8220;1; mode=block&#8221;<br \/>\n&lt;\/IfModule&gt;<\/p>\n<h2><b>3. The X-Content-Type-Options Header<\/b><\/h2>\n<p>This snippet will reduce the risk of drive-by downloads on your site by stopping the browser from executing the wrong MIME and forcing it to stick with the declared content-type.<\/p>\n<p>&lt;IfModule mod_headers.c&gt;<br \/>\nHeader set X-Content-Type-Options &#8220;nosniff\u201d<br \/>\n&lt;\/IfModule&gt;<\/p>\n<h2><b>4. The Strict Transport Security Header<\/b><\/h2>\n<p>This snippet will enforce the use of strict transport security, which will force the browser to access your website only through a safe HTTPS connection. The max-age is set to 31,536,000 which is approximately 1 year.<\/p>\n<p>&lt;IfModule mod_headers.c&gt;<br \/>\nHeader set Strict-Transport-Security &#8220;max-age=31536000&#8221;<br \/>\n&lt;\/IfModule&gt;<\/p>\n<p>After adding the snippets via .htaccess, go ahead and run your site through securityheaders.com again to see if you did everything correctly.<\/p>\n<p><a href=\"https:\/\/kennyvn.com\/how-to-secure-http-response-headers-website\/\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>When building a new website, I always make sure it goes through a series of checklists before deploying. One of the things on my checklist is securing the HTTP response headers. By securing the HTTP security headers of your website, you\u2019ll prevent common attacks such as: Framing or clickjacking Cross-site scripting (XSS) Drive-by downloads SSL &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/www.appservgrid.com\/paw92\/index.php\/2018\/11\/21\/how-to-secure-website-http-response-headers-htaccess-snippets\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;How To Secure Website HTTP Response Headers .Htaccess (Snippets)&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-3942","post","type-post","status-publish","format-standard","hentry","category-linux"],"_links":{"self":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/3942","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/comments?post=3942"}],"version-history":[{"count":1,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/3942\/revisions"}],"predecessor-version":[{"id":4687,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/3942\/revisions\/4687"}],"wp:attachment":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/media?parent=3942"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/categories?post=3942"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/tags?post=3942"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}