Apache Security Headers
Setting your security headers is an important step in configuring your site. These settings can be applied in the main Apache configuration file or the virtual host file (vhost.conf) on a per-site basis. If you want them to apply to all your hosts then create a separate headers.conf file in your /conf.d directory. If you are on shared hosting then they can be also be applied to your .htaccess file.
NOTE: Content-Security-Policy can vary from site to site so should be applied either in the virtual host config or site .htaccess depending on your access.
This allows you specify acceptable sources for the content on your site. It is probably the most work to configure properly as you will need to identify and list all foreign sources. Use the network tab of your favorite inspector to identify them. See content-security-policy.com for detailed settings.
In its most basic form:
Header always set Content-Security-Policy "default-src 'self'"
e.g. for a basic WordPress site:
Header always set Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval';img-src 'self' data: secure.gravatar.com;font-src 'self' fonts.googleapis.com fonts.gstatic.com"
Browsers supporting this header will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS. The minimum recommended value for age is 180 days (or 6 months – 15768000) although less can be used while testing. This header should not be sent over HTTP.
Consider carefully when using the subdomains directive ‘includeSubDomains’ that all of them require TLS/SSL. Use of email or CNAME records pointing to external services may be affected.
WARNING: Sending the preload tag could block your site if used improperly please read www.owasp.org for more information.
Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains" env=HTTPS
To avoid clickjacking attacks, block your content from being embedded into other sites. This should be set to either DENY or SAMEORIGIN.
Header always set X-Frame-Options SAMEORIGIN
Setting this response header with the value nosniff will prevent most browsers from MIME-sniffing a response away from the declared content-type.
Header always set X-Content-Type-Options nosniff
Internet Explorer, Chrome and Safari will use this to stop pages from loading when they detect reflected cross-site scripting (XSS) attacks.
Header always set X-XSS-Protection "1; mode=block"
Specify what referrer information to send. The default is no-referrer-when-downgrade where the origin is sent as referrer via HTTPS but not HTTP.
Header always set Referrer-Policy: no-referrer-when-downgrade
Force the appending of HttpOnly and Secure flags to all site cookies.
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
Putting it all together
<IfModule mod_headers.c> Header always set Strict-Transport-Security "max-age=2592000; includeSubDomains" env=HTTPS Header always set X-Frame-Options SAMEORIGIN Header always set X-Content-Type-Options nosniff Header always set X-XSS-Protection "1; mode=block" Header always set Referrer-Policy: no-referrer-when-downgrade Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure </IfModule>
Testing your configuration
Various sites provide online services to test your site configuration. Try these below: