Technology Is Nothing But the

  • Invention!
  • Future!
  • Optimism!
  • Entertainment!

Apache Security Headers Configuration.

Step 1:- Enable AllowOverride mode in config file.

After successfully install the apache server open configuration file. The file location is listed below.

  • /etc/apache2/httpd.conf (Fedora,Centos)
  • /etc/apache2/apache2.conf (Debian,Ubuntu)
  • /etc/httpd/httpd.conf (Fedora,Centos)
  • /etc/httpd/conf/httpd.conf (Fedora,Centos)

Else you can simply type the command > locate httpd.conf or > locate apache2.conf in the terminal. Then open the configuration file. Set the below configuration.

Remove the Server Signature disclosed in response header.

Add the “ServerSignature Off” and “ServerTokens Prod” to remove server signature disclosed in headers, as shown below image.

> Before ServerSignature Off
ServerSignature Off
ServerTokens Prod
> After ServerSignature Off

To add other security headers from .htaccess, you have to enable the AllowOverride from None to All, as shown below.

Then enable the module headers in apache.

Step 2:- Add the security headers in .htaccess file /var/www/html.

After enabling the AllowOverride and module headers we can now add the security header on the .htaccess file, as shown below.

<IfModule mod_headers.c>
Header always unset "X-Powered-By"
Header unset X-Powered-By
Header set Content-Security-Policy "default-src self"
Header set Strict-Transport-Security "max-age=31536000;includeSubDomains;"
Header always set X-Frame-Options DENY
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options nosniff
Header set Referrer-Policy: no-referrer
Header add Access-Control-Allow-Origin: ""
Header add Access-Control-Allow-Methods: "GET,POST"
> After setting the security headers


4 1 vote
Article Rating
Newest Most Voted
Inline Feedbacks
View all comments
Raj pant

Nice post

Manav Dubey

Great Post

Would love your thoughts, please comment.x