Security HTTP Headers

Posted on By admin No Comments on Security HTTP Headers
Web Server

List of Security HTTP Headers:

X-Frame-Options:

// Raw header
X-Frame-Options: sameorigin

// How to send the response header with PHP
header("X-Frame-Options: sameorigin");

// How to send the response header with Apache (.htaccess)
    Header set X-Frame-Options "sameorigin"

// How to send the response header with Express.js
app.use(function(req, res, next) {
    res.header("X-Frame-Options", "sameorigin");
    next();
});

X-XSS-Protection

// Raw header
X-XSS-Protection: 1; mode=block

// How to send the response header with PHP
header("X-XSS-Protection: 1; mode=block");

// How to send the response header with Apache (.htaccess)
    Header set X-XSS-Protection "1; mode=block"

// How to send the response header with Express.js
app.use(function(req, res, next) {
    res.header("X-XSS-Protection", "1; mode=block");
    next();
});

Content-Type-Options

// Raw header
X-Content-Type-Options: nosniff

// How to send the response header with PHP
header("X-Content-Type-Options: nosniff");

// How to send the response header with Apache (.htaccess)
    Header set X-Content-Type-Options "nosniff"

// How to send the response header with Express.js
app.use(function(req, res, next) {
    res.header("X-Content-Type-Options", "nosniff");
    next();
});

Strict-Transport-Security

// Raw header
Strict-Transport-Security: max-age=31536000
// or
Strict-Transport-Security: max-age=31536000; includeSubDomains

// How to send the response header with PHP
header("Strict-Transport-Security: max-age=31536000");

// How to send the response header with Apache (.htaccess)
    Header set Strict-Transport-Security "max-age=31536000"

// How to send the response header with Express.js
app.use(function(req, res, next) {
    res.header("Strict-Transport-Security", "max-age=31536000");
    next();
});

Content-Security-Policy

// Raw header
Content-Security-Policy: default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';

// How to send the response header with PHP
header("Content-Security-Policy: default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';");

// How to send the response header with Apache (.htaccess)
    Header set Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';"

// How to send the response header with Express.js
app.use(function(req, res, next) {
    res.header("Content-Security-Policy", "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';");
    next();
});

Access-Control-Allow-Origin/Public-Key-Pins

// Raw
Public-Key-Pins: pin-sha256="d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM="; pin-sha256="FRE9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g="; max-age=604800; includeSubDomains; report-uri="https://technology.freenetsolutions.com/"

// PHP
header('Public-Key-Pins: pin-sha256="d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM="; pin-sha256="FRE9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g="; max-age=604800; includeSubDomains; report-uri="https://technology.freenetsolutions.com/"');

// Apache
    Header set Public-Key-Pins "pin-sha256=\"d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=\"; pin-sha256=\FRE9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=\"; max-age=604800; report-uri=\"https://technology.freenetsolutions.com/\""

// nginx
add_header Public-Key-Pins "pin-sha256=\"d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=\"; pin-sha256=\FRE9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=\"; max-age=604800";

// Express.js
app.use(function(req, res, next) {
    res.header("Public-Key-Pins", 'pin-sha256="d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM="; pin-sha256=FRE9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g="; max-age=604800; includeSubDomains');
    next();
});

Referrer-Policy

// Raw header
Referrer-Policy: origin-when-cross-origin

// PHP
header("Referrer-Policy: origin-when-cross-origin");

// Apache
    Header set Referrer-Policy "origin-when-cross-origin"

// nginx
add_header Referrer-Policy "origin-when-cross-origin"

// Express.js
app.use(function(req, res, next) {
    res.header("Referrer-Policy", "origin-when-cross-origin");
    next();
});

Expect-CT

// Raw header
Expect-CT: max-age=7776000, enforce, report-uri="http://domain.com/ct-report"

// PHP
header("Expect-CT: max-age=7776000, enforce");

// Apache
    Header set Expect-CT "max-age=7776000, enforce"

// nginx
add_header Expect-CT "max-age=7776000, enforce"

// Express.js
app.use(function(req, res, next) {
    res.header("Expect-CT", "max-age=7776000, enforce");
    next();
});

 

Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection

You may also like

Web Server
HTTP header and Server Response Codes
Web Server
PHP FPM modification – Plesk
PHP
Apache Prefork versus Worker
Web Server
Security Tips

Leave a Reply

Your email address will not be published. Required fields are marked *