HTTP Response Headers

Recommended Security Headers

Visit the following OWASP resources for an explanation on http response headers related to security:

Apache Directives (.htaccess)

        
          # Tell browsers that it should only be accessed using HTTPS, instead of using HTTP
          <IfModule mod_headers.c>
            Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
          </IfModule>

          # Governs which referrer information, sent in the Referer header, should be included with requests made.
          <IfModule mod_headers.c>
            Header always set Referrer-Policy "no-referrer"
          </IfModule>

          # Improves the security of your site against some types of XSS (Chrome, IE)
          <IfModule mod_headers.c>
            Header set X-XSS-Protection "1; mode=block"
          </IfModule>

          # Improve the security of your site (and your users) against some types of drive-by-downloads
          <IfModule mod_headers.c>
            Header set X-Content-Type-Options "nosniff"
          </IfModule>

          # ClickJacking Defense - Prevents an attacker from iframing the content of your site into others
          <IfModule mod_headers.c>
            Header always append X-Frame-Options SAMEORIGIN
          </IfModule>

          # Remove non-standard header
          <IfModule mod_headers.c>
            Header always unset "X-Powered-By"
            Header unset X-Powered-By
          </IfModule>

          # Hide Apache server information
            ServerSignature Off

Website security header status can be checked using the Securityheaders.io online tool.

Learn more about security headers

Strict-Transport-Security Referrer-Policy X-Frame-Options X-XSS-Protection X-Content-Type-Options Content Security Policy (CSP) OWASP Secure Headers Project Secure Your Web App With HTTP Headers (Smashing Magazine)