Skip to content

Technology Forum

SEO, Speed Up website, Server Optimization, Linux, Open Source Softwares

  • Home
  • General
    • Web Server
    • Website Formatting
  • IT Companies
  • Optimization
    • PHP
  • Linux
  • Home
  • General
  • Web Server
  • Security HTTP Headers
Optimization
eAccelerator
PHP
Enable memcache in WAMP
Domain Name
Guide to Domain Name Status Codes
PHP
Goodbye to DDOS
General
History of the Internet
Optimization
Check PageSpeed

Security HTTP Headers

Posted on July 15, 2018May 6, 2022 By admin No Comments on Security HTTP Headers
Web Server

List of Security HTTP Headers:

X-Frame-Options:

// Raw header
X-Frame-Options: sameorigin

// How to send the response header with PHP
header("X-Frame-Options: sameorigin");

// How to send the response header with Apache (.htaccess)
    Header set X-Frame-Options "sameorigin"

// How to send the response header with Express.js
app.use(function(req, res, next) {
    res.header("X-Frame-Options", "sameorigin");
    next();
});

X-XSS-Protection

// Raw header
X-XSS-Protection: 1; mode=block

// How to send the response header with PHP
header("X-XSS-Protection: 1; mode=block");

// How to send the response header with Apache (.htaccess)
    Header set X-XSS-Protection "1; mode=block"

// How to send the response header with Express.js
app.use(function(req, res, next) {
    res.header("X-XSS-Protection", "1; mode=block");
    next();
});

Content-Type-Options

// Raw header
X-Content-Type-Options: nosniff

// How to send the response header with PHP
header("X-Content-Type-Options: nosniff");

// How to send the response header with Apache (.htaccess)
    Header set X-Content-Type-Options "nosniff"

// How to send the response header with Express.js
app.use(function(req, res, next) {
    res.header("X-Content-Type-Options", "nosniff");
    next();
});

Strict-Transport-Security

// Raw header
Strict-Transport-Security: max-age=31536000
// or
Strict-Transport-Security: max-age=31536000; includeSubDomains

// How to send the response header with PHP
header("Strict-Transport-Security: max-age=31536000");

// How to send the response header with Apache (.htaccess)
    Header set Strict-Transport-Security "max-age=31536000"

// How to send the response header with Express.js
app.use(function(req, res, next) {
    res.header("Strict-Transport-Security", "max-age=31536000");
    next();
});

Content-Security-Policy

// Raw header
Content-Security-Policy: default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';

// How to send the response header with PHP
header("Content-Security-Policy: default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';");

// How to send the response header with Apache (.htaccess)
    Header set Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';"

// How to send the response header with Express.js
app.use(function(req, res, next) {
    res.header("Content-Security-Policy", "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';");
    next();
});

Access-Control-Allow-Origin/Public-Key-Pins

// Raw
Public-Key-Pins: pin-sha256="d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM="; pin-sha256="FRE9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g="; max-age=604800; includeSubDomains; report-uri="https://technology.freenetsolutions.com/"

// PHP
header('Public-Key-Pins: pin-sha256="d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM="; pin-sha256="FRE9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g="; max-age=604800; includeSubDomains; report-uri="https://technology.freenetsolutions.com/"');

// Apache
    Header set Public-Key-Pins "pin-sha256=\"d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=\"; pin-sha256=\FRE9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=\"; max-age=604800; report-uri=\"https://technology.freenetsolutions.com/\""

// nginx
add_header Public-Key-Pins "pin-sha256=\"d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=\"; pin-sha256=\FRE9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=\"; max-age=604800";

// Express.js
app.use(function(req, res, next) {
    res.header("Public-Key-Pins", 'pin-sha256="d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM="; pin-sha256=FRE9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g="; max-age=604800; includeSubDomains');
    next();
});
 

Referrer-Policy

// Raw header
Referrer-Policy: origin-when-cross-origin

// PHP
header("Referrer-Policy: origin-when-cross-origin");

// Apache
    Header set Referrer-Policy "origin-when-cross-origin"

// nginx
add_header Referrer-Policy "origin-when-cross-origin"

// Express.js
app.use(function(req, res, next) {
    res.header("Referrer-Policy", "origin-when-cross-origin");
    next();
});

Expect-CT

// Raw header
Expect-CT: max-age=7776000, enforce, report-uri="http://domain.com/ct-report"

// PHP
header("Expect-CT: max-age=7776000, enforce");

// Apache
    Header set Expect-CT "max-age=7776000, enforce"

// nginx
add_header Expect-CT "max-age=7776000, enforce"

// Express.js
app.use(function(req, res, next) {
    res.header("Expect-CT", "max-age=7776000, enforce");
    next();
});

 

Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection

Tags: Access-Control-Allow-Origin Content-Security-Policy Expect-CT HTTP Headers Public-Key-Pins Referrer-Policy Strict-Transport-Security X-Content-Type-Options X-Frame-Options X-XSS-Protection

Post navigation

❮ Previous Post: WCAG 2.0 checklist
Next Post: Linux Commands ❯

You may also like

Web Server
Security Tips
Web Server
HTTP header and Server Response Codes
Optimization
Add Trailing Slash to URL (.htaccess)
PHP
Apache Prefork versus Worker

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Enter Captcha Here : *

Reload Image

View Posts

  • HTML: Link rel – Preload
  • HTML: Attributes of rel
  • Linux Commands
  • Security HTTP Headers
  • WCAG 2.0 checklist

Categories

  • Domain Name
  • General
    • Servers
    • Web Server
    • Website Formatting
  • IT Companies
  • Linux
  • MySQL
  • Optimization
    • PHP
  • Troubleshooting
  • Web Hosting Control Panel
    • Plesk Panel
  • Websites
    • CSS
    • HTML
    • Optimization
  • Windows
    • Windows 10

Recent Posts

  • HTML: Link rel – Preload
  • HTML: Attributes of rel
  • Linux Commands
  • Security HTTP Headers
  • WCAG 2.0 checklist

Copyright © 2023 Technology Forum.