• Home
  • My Work
  • Hardening your HTTP response headers with .htaccess
https://torbjornzetterlund.com/wp-content/uploads/2017/12/null-960x600_c.png

Hardening your HTTP response headers with .htaccess


HTTP Response headers are typically used to transfer security policies to the browser. By passing security policies back to the client, hosts can ensure a much safer browsing experience for their visitors and also reduce the risk for everyone involved.

Additional Headers

The first step in hardening your HTTP response headers is looking at the additional headers you can utilise to make your site more secure. These headers give the browser more information about how you want it to behave with regards to your site.

Content Security Policy (CSP)

The CSP header allows you to define a whitelist of approved sources of content for your site. By restricting the assets that a browser can load for your site, like js and css, CSP can act as an effective countermeasure to XSS attacks. Let’s take a look at:

  • Security Headers – X-Frame-Options
  • Security Headers – X-Content-Type: nosniff
  • Security Headers – X-XSS-Protection

Security Headers – X-Frame-Options

The X-Frame-Options header (RFC), or XFO header, protects your visitors against clickjacking attacks. An attacker can load up an iframe on their site and set your site as the source, it’s quite easy:

.

Using some crafty CSS they can hide your site in the background and create some genuine looking overlays.

When your visitors click on what they think is a harmless link, they’re actually clicking on links on your website in the background. That might not seem so bad until we realise that the browser will execute those requests in the context of the user, which could include them being logged in and authenticated to your site!

Valid values include DENY meaning your site can’t be framed, SAMEORIGIN which allows you to frame your own site or ALLOW-FROM https://example.com/ which lets you specify sites that are permitted to frame your own site. In order to improve the security of your site against ClickJacking, it is recommended that you add the following header to your site:

X-Frame-Options: SAMEORIGIN

It is supported by all browsers and prevents an attacker from iframing the content of your site into others.

This article from Mozilla explains it in detail: On the X-Frame-Options Security Header

Enabling this header

You can enable it by modifying your Apache settings or your .htaccess file, and adding the following line to it:

Header always append X-Frame-Options SAMEORIGIN

Security Headers – X-Content-Type: nosniff

Nice and easy to configure, this header only has one valid value, nosniff. It prevents Google Chrome and Internet Explorer from trying to mime-sniff the content-type of a response away from the one being declared by the server. It reduces exposure to drive-by downloads and the risks of user uploaded content that, with clever naming, could be treated as a different content-type, like an executable.

In order to improve the security of your site (and your users) against some types of drive-by-downloads, it is recommended that you add the following header to your site:

X-Content-Type-Options: nosniff

It is supported by IE (Internet Explorer) and Chrome and prevents them from MIME-sniffing a response from the declared content-type.

This article from Microsoft explains it: Reducing MIME type security risks

Enabling this header

You can enable it by modifying your Apache settings or your .htaccess file, and adding the following line to it:

Header set X-Content-Type-Options nosniff

Security Headers – X-XSS-Protection

This header is used to configure the built in reflective XSS protection found in Internet Explorer, Chrome and Safari (Webkit). Valid settings for the header are 0, which disables the protection, 1 which enables the protection and 1; mode=block which tells the browser to block the response if it detects an attack rather than sanitizing the script.

In order to improve the security of your site against some types of XSS (cross-site scripting) attacks, it is recommended that you add the following header to your site:

X-XSS-Protection: 1; mode=block

It is supported by IE (Internet Explorer) and Chrome. You can enable it by modifying your Apache settings or your .htaccess file, and adding the following line to it:

Header set X-XSS-Protection "1; mode=block"

How to view HTTP headers in Google Chrome?

To view the request or response HTTP headers in Google Chrome, take the following steps :

  1. In Chrome, visit a URL, right click, select Inspect to open the developer tools.
  2. Select Network tab.
  3. Reload the page, select any HTTP request on the left panel, and the HTTP headers will be displayed on the right panel.

That’s all – as always you can comment below.

Menu