Securing your site headers using .htaccess

Vivid Matter - Secure Your Site

After reading reports of major security exploits recently, we decided to take a hard look at securing our sites from the vulnerabilities being used to break into a website. To accomplish our goals with securing the site headers, we first took into consideration the fact that each site will have different needs, and will be using different scripts and frames. Our solution to this issue is to create a well commented set of .htaccess rules that could easily be turned on or off depending on your site’s individual needs. The resulting .htaccess rules are below:

# Vivid Matter - Bulletproof Header Security
# Don't allow pages to be framed externally - Defends against CSRF

# Tell the browser to attempt the HTTPS version first
Header add Strict-Transport-Security "max-age=157680000"

# Turn on IE8-IE9 XSS prevention tools
Header set X-XSS-Protection "1; mode=block"

# Only allow JavaScript from the same domain to be run.
# Don't allow inline JavaScript to run.
Header set X-Content-Security-Policy "allow 'self';"

# Prevent mime based attacks
Header set X-Content-Type-Options "nosniff"

# Disable server signature
Header set ServerSignature "Off"
Header set ServerTokens "Prod"

# Control Cross-Domain Policies
Header set X-Permitted-Cross-Domain-Policies "master-only"

To add these rules to your site all you need to do is add the code above to the bottom of your .htaccess file.

In the following series we will go a little more in-depth into what each rule does to help protect your site.

Written by Jesse Goll

Jesse G, grew up working on computers. He fondly remembers playing space invaders on a Tandy II. Jesse has over 12 years experience working in the industry on everything from single page brochure sites to multi-million dollar enterprise level sites. When not buried deep in the latest programming book. Jesse G enjoys fishing, camping, hiking, mountain biking, hunting, and spending time with his wife and twin daughters.