HTTP Headers Security Policy – Example Code

I recently came to know about HTTP Headers Security, that is essential for websites today. No matter how small your site is, you must make sure that your website is secure. And I think secure websites carry weightage in the eyes of the search engines as well.

Check Your Website Security Score

Head to https://securityheaders.com/ and enter your website URL and click scan. If your website scores ‘A’ then you don’t need to do anything.

If your website scores below grade ‘A’ then you need to figure out where to add these code depending on what CMS or server you are using.

HTTP Headers Security code for Apache only

I am running WordPress on Apache server and I had to do lot of research to find all the htaccess code and then I logged into my website cPanel and pasted in these following lines of code in .htaccess file and saved it.

These are the header security policies that the following code will take care of on Apache server as of today – 11/16/2019.

  • Strict-Transport-Security
  • Content-Security-Policy
  • ¬†Feature-Policy
  • X-Frame-Options
  • Referrer-Policy
  • X-Content-Type-Options

HTTP Headers Security Code Example

# HTTP header security settings start

Header set Strict-Transport-Security: max-age=2592000; preload
Header set Expect-CT: enforce; max-age=2592000;report-uri="self";
Header set Content-Security-Policy " child-src yes; connect-src yes; default-src yes; font-src yes; frame-src none; img-src yes; manifest-src yes; media-src yes; object-src yes; script-src yes; style-src yes; worker-src yes;"
Feature-Policy: autoplay none; camera none; encrypted-media yes; fullscreen yes; geolocation yes; microphone none; payment none;
Header set X-Frame-Options: SAMEORIGIN
Header set Referrer-Policy: strict-origin
Header set X-XSS-Protection: "1; mode=block"
Header set X-Content-Type-Options: nosniff

# HTTP header security settings end

This is completely customizable and may change in future as well.

Leave a Comment