Skip to content

Technology Forum

SEO, Speed Up website, Server Optimization, Linux, Open Source Softwares

  • Home
  • General
    • Web Server
    • Website Formatting
  • IT Companies
  • Optimization
    • PHP
  • Linux
  • Home
  • General
  • Web Server
  • Security HTTP Headers
MySQL
Script to convert InnoDB tables to MyISAM
Plesk Panel
Plesk: Self-Signed SSL Certificate
Optimization
Add Trailing Slash to URL (.htaccess)
General
Overview of SSL Certificates
PHP
Plesk/Odin Services Structure
General
Popular Sites run on which Platforms?

Security HTTP Headers

Posted on July 15, 2018May 6, 2022 By admin No Comments on Security HTTP Headers
Web Server

List of Security HTTP Headers:

X-Frame-Options:

// Raw header
X-Frame-Options: sameorigin

// How to send the response header with PHP
header("X-Frame-Options: sameorigin");

// How to send the response header with Apache (.htaccess)
    Header set X-Frame-Options "sameorigin"

// How to send the response header with Express.js
app.use(function(req, res, next) {
    res.header("X-Frame-Options", "sameorigin");
    next();
});

X-XSS-Protection

// Raw header
X-XSS-Protection: 1; mode=block

// How to send the response header with PHP
header("X-XSS-Protection: 1; mode=block");

// How to send the response header with Apache (.htaccess)
    Header set X-XSS-Protection "1; mode=block"

// How to send the response header with Express.js
app.use(function(req, res, next) {
    res.header("X-XSS-Protection", "1; mode=block");
    next();
});

Content-Type-Options

// Raw header
X-Content-Type-Options: nosniff

// How to send the response header with PHP
header("X-Content-Type-Options: nosniff");

// How to send the response header with Apache (.htaccess)
    Header set X-Content-Type-Options "nosniff"

// How to send the response header with Express.js
app.use(function(req, res, next) {
    res.header("X-Content-Type-Options", "nosniff");
    next();
});

Strict-Transport-Security

// Raw header
Strict-Transport-Security: max-age=31536000
// or
Strict-Transport-Security: max-age=31536000; includeSubDomains

// How to send the response header with PHP
header("Strict-Transport-Security: max-age=31536000");

// How to send the response header with Apache (.htaccess)
    Header set Strict-Transport-Security "max-age=31536000"

// How to send the response header with Express.js
app.use(function(req, res, next) {
    res.header("Strict-Transport-Security", "max-age=31536000");
    next();
});

Content-Security-Policy

// Raw header
Content-Security-Policy: default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';

// How to send the response header with PHP
header("Content-Security-Policy: default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';");

// How to send the response header with Apache (.htaccess)
    Header set Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';"

// How to send the response header with Express.js
app.use(function(req, res, next) {
    res.header("Content-Security-Policy", "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';");
    next();
});

Access-Control-Allow-Origin/Public-Key-Pins

// Raw
Public-Key-Pins: pin-sha256="d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM="; pin-sha256="FRE9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g="; max-age=604800; includeSubDomains; report-uri="https://technology.freenetsolutions.com/"

// PHP
header('Public-Key-Pins: pin-sha256="d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM="; pin-sha256="FRE9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g="; max-age=604800; includeSubDomains; report-uri="https://technology.freenetsolutions.com/"');

// Apache
    Header set Public-Key-Pins "pin-sha256=\"d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=\"; pin-sha256=\FRE9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=\"; max-age=604800; report-uri=\"https://technology.freenetsolutions.com/\""

// nginx
add_header Public-Key-Pins "pin-sha256=\"d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=\"; pin-sha256=\FRE9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=\"; max-age=604800";

// Express.js
app.use(function(req, res, next) {
    res.header("Public-Key-Pins", 'pin-sha256="d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM="; pin-sha256=FRE9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g="; max-age=604800; includeSubDomains');
    next();
});
 

Referrer-Policy

// Raw header
Referrer-Policy: origin-when-cross-origin

// PHP
header("Referrer-Policy: origin-when-cross-origin");

// Apache
    Header set Referrer-Policy "origin-when-cross-origin"

// nginx
add_header Referrer-Policy "origin-when-cross-origin"

// Express.js
app.use(function(req, res, next) {
    res.header("Referrer-Policy", "origin-when-cross-origin");
    next();
});

Expect-CT

// Raw header
Expect-CT: max-age=7776000, enforce, report-uri="http://domain.com/ct-report"

// PHP
header("Expect-CT: max-age=7776000, enforce");

// Apache
    Header set Expect-CT "max-age=7776000, enforce"

// nginx
add_header Expect-CT "max-age=7776000, enforce"

// Express.js
app.use(function(req, res, next) {
    res.header("Expect-CT", "max-age=7776000, enforce");
    next();
});

 

Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection

Tags: Access-Control-Allow-Origin Content-Security-Policy Expect-CT HTTP Headers Public-Key-Pins Referrer-Policy Strict-Transport-Security X-Content-Type-Options X-Frame-Options X-XSS-Protection

Post navigation

❮ Previous Post: WCAG 2.0 checklist
Next Post: Linux Commands ❯

You may also like

Optimization
Add Trailing Slash to URL (.htaccess)
Web Server
Security Tips
Web Server
PHP FPM modification – Plesk
PHP
Apache Prefork versus Worker

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

View Posts

  • PHP FPM modification – Plesk
  • HTML: Link rel – Preload
  • HTML: Attributes of rel
  • Linux Commands
  • Security HTTP Headers

Categories

  • Domain Name
  • General
    • Servers
    • Web Server
    • Website Formatting
  • IT Companies
  • Linux
  • MySQL
  • Optimization
    • PHP
  • Troubleshooting
  • Web Hosting Control Panel
    • Plesk Panel
  • Websites
    • CSS
    • HTML
    • Optimization
  • Windows
    • Windows 10

Recent Posts

  • PHP FPM modification – Plesk
  • HTML: Link rel – Preload
  • HTML: Attributes of rel
  • Linux Commands
  • Security HTTP Headers

Copyright © 2025 Technology Forum.

Theme: Oceanly News by ScriptsTown