How to: Set security headers on your website

Get to know how you can setup the HTTP response security headers for maximum security on your website or blog.

When an user visit your website, the web server interact with the HTTP Respsonse Security Headers. These headers informs the browser how to handle the interaction with your website and usually consist of metadata such as cache control, status error codes, content encryption, etc. By using HTTP response security headers, you can improve the security of your website and prevent attacks.

To have an A+ at We will need at least the following headers.

  • X-Content-Type-Options
  • X-Frame-Options
  • X-XSS-Protection
  • Strict-Transport-Security
  • Referrer-Policy
  • Permissions-Policy (before known as Feature-Policy)

I know you thinking, “what are all these headers about”. Let me explain.

  • X-Content-Type-Options
    • Prevents Internet Explorer and Google Chrome from sniffing a response away from the declared Content-Type. This helps reduce the danger of drive-by downloads and helps treat the content the right way.
  • X-Frame-Options
    • Provides clickjacking protection by not allowing iframes to load on your website.
  • X-XSS-Protection
    • Is designed to enable the cross-site scripting (XSS) filter built into modern web browsers.
  • Strict-Transport-Security
    • A security enhancement that restricts web browsers to access web servers over HTTPS. This ensures the connection cannot be establish through an insecure HTTP connection which could be susceptible to attacks.
  • Referrer-Policy
    • Controls how much referrer information (sent via the Referer header) should be included with requests.
  • Permissions-Policy
    • Grants the ability to allow or deny browser features, whether in its own frame or content within an inline frame element

Now you know something about the security headers, let’s get to the implementation for an Apache based webserver.

  • If you have already a .htaccess file in the root of your website, you need to edit this one.
  • If you don’t have a .htaccess file, open a text editor like Notepad ++, or a regular Notepad and save the file as a .htaccess file only. Do not give this file a name.
  • Past the following headers on a friendly position.
# BEGIN HttpHeaders
<IfModule mod_headers.c>
Header set X-Content-Type-Options "nosniff"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-XSS-Protection "1; mode=block"
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains" env=HTTPS
Header set Content-Security-Policy "upgrade-insecure-requests"
Header set Referrer-Policy "strict-origin"
Header set Permissions-Policy "geolocation=(none)"
# END HttpHeaders
  • Save or upload the .htaccess file to the root of your website.
    • If you are running WordPress this file already exist, copy the HttpHeaders into the existing file under ‘# END WordPress’
  • Check your headers at it should be say “A+”!

I have set recommended and default values on each header to improve the security of your website.

Share this: