Apache Security Headers Configuration.
Step 1:- Enable AllowOverride mode in config file.
After successfully install the apache server open configuration file. The file location is listed below.
- /etc/apache2/httpd.conf (Fedora,Centos)
- /etc/apache2/apache2.conf (Debian,Ubuntu)
- /etc/httpd/httpd.conf (Fedora,Centos)
- /etc/httpd/conf/httpd.conf (Fedora,Centos)
Else you can simply type the command > locate httpd.conf
or > locate apache2.conf
in the terminal. Then open the configuration file. Set the below configuration.
Remove the Server Signature disclosed in response header.
Add the “ServerSignature Off” and “ServerTokens Prod” to remove server signature disclosed in headers, as shown below image.
ServerSignature Off ServerTokens Prod
To add other security headers from .htaccess, you have to enable the AllowOverride from None to All, as shown below.
Then enable the module headers in apache.
Step 2:- Add the security headers in .htaccess file /var/www/html.
After enabling the AllowOverride and module headers we can now add the security header on the .htaccess file, as shown below.
<IfModule mod_headers.c> Header always unset "X-Powered-By" Header unset X-Powered-By Header set Content-Security-Policy "default-src self" Header set Strict-Transport-Security "max-age=31536000;includeSubDomains;" Header always set X-Frame-Options DENY Header set X-XSS-Protection "1; mode=block" Header set X-Content-Type-Options nosniff Header set Referrer-Policy: no-referrer Header add Access-Control-Allow-Origin: "https://kunshdeep.in" Header add Access-Control-Allow-Methods: "GET,POST" </IfModule>
Reference:-
https://owasp.org/www-project-secure-headers/
Nice post