After reading reports of major security exploits recently, we decided to take a hard look at securing our sites from the vulnerabilities being used to break into a website. To accomplish our goals with securing the site headers, we first took into consideration the fact that each site will have different needs, and will be using different scripts and frames. Our solution to this issue is to create a well commented set of .htaccess rules that could easily be turned on or off depending on your site’s individual needs. The resulting .htaccess rules are below:
# Vivid Matter - Bulletproof Header Security # Don't allow pages to be framed externally - Defends against CSRF Header append X-FRAME-OPTIONS "SAMEORIGIN" # Tell the browser to attempt the HTTPS version first Header add Strict-Transport-Security "max-age=157680000" # Turn on IE8-IE9 XSS prevention tools Header set X-XSS-Protection "1; mode=block" # Only allow JavaScript from the same domain to be run. # Don't allow inline JavaScript to run. Header set X-Content-Security-Policy "allow 'self';" # Prevent mime based attacks Header set X-Content-Type-Options "nosniff" # Disable server signature Header set ServerSignature "Off" Header set ServerTokens "Prod" # Control Cross-Domain Policies Header set X-Permitted-Cross-Domain-Policies "master-only"
To add these rules to your site all you need to do is add the code above to the bottom of your .htaccess file.
In the following series we will go a little more in-depth into what each rule does to help protect your site.