Apache Security Headers Configuration.
Step 1:- Enable AllowOverride mode in config file.
After successfully install the apache server open configuration file. The file location is listed below.
- /etc/apache2/httpd.conf (Fedora,Centos)
- /etc/apache2/apache2.conf (Debian,Ubuntu)
- /etc/httpd/httpd.conf (Fedora,Centos)
- /etc/httpd/conf/httpd.conf (Fedora,Centos)
Else you can simply type the command > locate httpd.conf or > locate apache2.conf in the terminal. Then open the configuration file. Set the below configuration.
Remove the Server Signature disclosed in response header.
Add the “ServerSignature Off” and “ServerTokens Prod” to remove server signature disclosed in headers, as shown below image.
> Before ServerSignature OffServerSignature Off ServerTokens Prod
> After ServerSignature OffTo add other security headers from .htaccess, you have to enable the AllowOverride from None to All, as shown below.
Then enable the module headers in apache.
Step 2:- Add the security headers in .htaccess file /var/www/html.
After enabling the AllowOverride and module headers we can now add the security header on the .htaccess file, as shown below.
<IfModule mod_headers.c> Header always unset "X-Powered-By" Header unset X-Powered-By Header set Content-Security-Policy "default-src self" Header set Strict-Transport-Security "max-age=31536000;includeSubDomains;" Header always set X-Frame-Options DENY Header set X-XSS-Protection "1; mode=block" Header set X-Content-Type-Options nosniff Header set Referrer-Policy: no-referrer Header add Access-Control-Allow-Origin: "https://kunshdeep.in" Header add Access-Control-Allow-Methods: "GET,POST" </IfModule>
> After setting the security headersReference:-
https://owasp.org/www-project-secure-headers/
Nice post