Security is as essential as content and SEO of your website, and thousands of websites get hacked due to misconfiguration or lack of protection. If you are a website owner or security engineer and looking to protect your website from Clickjacking, code injection, MIME types, XSS, etc. attacks then this guide will help you.
In this article, I will talk about various HTTP Headers to implement in multiple web servers, network edge & CDN providers for better website protection.
Notes:
You are advised to take a backup of configuration file prior making changes
Some of the headers may not be supported on all the browsers, so check out the compatibility before the implementation.
Mod_headers must be enabled in Apache to implement these headers. Ensure the following line uncommented in httpd.conf file.
LoadModule headers_module modules/mod_headers.so
Post-implementation, you can use secure headers online tool to verify the results.
Using WordPress?: you may want to try using HTTP Headers plugin, which takes care of these headers and a lot more.
X-XSS-Protection
X-XSS-Protection header can prevent some level of XSS (cross-site-scripting) attacks, and this is compatible with IE 8+, Chrome, Opera, Safari & Android.
Google, Facebook, Github use this header, and most of the penetration testing consultancy will ask you to implement this.
There are four possible ways you can configure this header.
Parameter Value
Meaning
0
XSS filter disabled
1
XSS filter enabled and sanitized the page if attack detected
1;mode=block
XSS filter enabled and prevented rendering the page if attack detected
Security is as essential as content and SEO of your website, and thousands of websites get hacked due to misconfiguration or lack of protection. If you are a website owner or security engineer and looking to protect your website from Clickjacking, code injection, MIME types, XSS, etc. attacks then this guide will help you.
In this article, I will talk about various HTTP Headers to implement in multiple web servers, network edge & CDN providers for better website protection.
Notes:
Using WordPress?: you may want to try using HTTP Headers plugin, which takes care of these headers and a lot more.
X-XSS-Protection
X-XSS-Protection header can prevent some level of XSS (cross-site-scripting) attacks, and this is compatible with IE 8+, Chrome, Opera, Safari & Android.
Google, Facebook, Github use this header, and most of the penetration testing consultancy will ask you to implement this.
There are four possible ways you can configure this header.
Apache HTTP Server
Add the following entry in httpd.conf of your Apache webserver
Nginx
Add the following in nginx.conf under http block
Nginx restart is needed to get this reflected on your web page response header.
Restart the apache to verify
GeekFlare