Add HTTP Security Headers in Apache Web Server
HTTP security headers are a crucial element in securing a website. These headers provide an extra layer of protection by instructing the browser on how to behave when handling content on your site. In this article, we will discuss how to add HTTP security headers in Apache Server which is one of the most popular web servers used to host websites.
Introduction to security headers
HTTP security headers are a group of security measures that can be added to a web server's HTTP response to improve the security of a website. These headers can protect against common web vulnerabilities such as cross-site scripting (XSS), cross-site request forgery (CSRF), and clickjacking. They can also help prevent your website from being used as a vehicle for spreading malware or phishing attacks.
There are various HTTP security headers that can be added to a website. Some of the commonly used headers are:
Content-Security-Policy
(CSP): This header helps prevent cross-site scripting attacks by specifying a list of allowed sources for various types of content, such as scripts, stylesheets, and images.
X-XSS-Protection
: This header enables the browser's built-in XSS security mechanism. You can block page rendering or try to sanitize malicious input.
Strict-Transport-Security
(HSTS): This header forces the browser to use HTTPS instead of HTTP for all future requests to the website. It helps prevent man-in-the-middle attacks and ensures that the communication between the browser and the server is secure.
X-Frame-Options
: This header prevents clickjacking attacks by specifying whether or not the website can be embedded in a frame.
X-Content-Type-Options
: This header prevents the browser from trying to guess the MIME type of a file and potentially executing malicious content.
Referrer-Policy
– This header controls the value of the "Referrer" header that is sent to the server when a user clicks on a link on your website. By setting the value to "strict origin when cross origin", the referrer header will be sent only when the link is clicked from a different origin (website). This helps protect against information leakage and user behavior tracking.
Prerequisites
Before you begin adding HTTP security headers to your Apache server, there are a few prerequisites that need to be met.
- You must have a website hosted on an Apache web server.
- You must have access to the Apache server configuration files. This is usually done through the server's control panel or through a terminal if you have shell access.
Now that you understand the importance of HTTP security headers, let's start adding them to your Apache server.
Adding HTTP security headers in Apache server
There are two ways to add HTTP security headers to the Apache server: via the Apache configuration file or via an .htaccess
file.
Method 1: Add HTTP security headers via Apache configuration file
Access the server control panel or open a terminal if you have shell access.
1. Open the Apache configuration file
The first step is to locate the Apache configuration file on your server. This file is often called "httpd.conf
" and is located in the Apache installation directory. On a Linux server, you can use the following command to open the file in a text editor:
$ sudo nano /etc/httpd/conf/httpd.conf
On a Windows server, you can use a text editor such as Notepad to open the file located at "C:\Program Files\Apache Software Foundation\Apache2.2\conf\httpd.conf".
2. Add headers to the config file
Once the configuration file is open, you can add HTTP security headers by placing the following lines at the end of the file:
Header always set X-XSS-Protection: "1; mode=block"
Header always set X-Content-Type-Options: "nosniff"
Header always set X-Frame-Options: "SAMEORIGIN"
Header always set Content-Security-Policy: "default-src 'self'"
Header always set Referrer-Policy: "strict-origin-when-cross-origin"
Header always set Strict-Transport-Security: "max-age=31536000; includeSubDomains; preload"
3. Save and close the configuration file
After adding headers to the configuration file, save the file and close it.
4. Restart the Apache server
You will need to restart the Apache server for the changes to take effect. On a Linux server, you can use the following command to do this:
$ sudo service httpd restart
On a Windows server, you can use the Apache Service Monitor tool to restart the server.
Method 2: Add HTTP security headers via an .htaccess file
1. Create a .htaccess
file in the root directory of your website. If the file already exists, you can skip this step.
2. Open the .htaccess
file in a text editor.
3. Add the following lines to the file, replacing header-value with the desired value for each header:
Header set Content-Security-Policy "header-value"
Header set X-XSS-Protection "header-value"
Header set Strict-Transport-Security "header-value"
Header set X-Frame-Options "header-value"
4. Save the file and close the text editor.
5. Restart the Apache server for the changes to take effect.
Testing HTTP security headers
To verify that the headers have been added correctly, you can use a tool like Security Headers and the Mozilla observatory to scan your website . Just enter your website URL and the tool will analyze the response headers and give you a score based on the security measures in place.
Conclusion
In this article, we learned how to add HTTP security headers in Apache server. These headers provide an extra layer of security for your website and help mitigate various security risks. It's important to update and test these headers regularly to ensure your website is secure.