Headers (Apache)
- Header, Header always, Header set, and Header append are used to manipulate HTTP headers that are sent in the server's response to a client's request
Header
- The basic Header directive is used to conditionally add or remove headers based on the result of a previous condition (e.g., an if or else statement). Example:
Header set X-Foo "bar" env=production
- To always set a header, overwriting any existing value for that header:
Header set X-Foo "bar"
- To append a directive to existing header, without overwriting any existing values:
Header append X-Foo "bar"
Example
RewriteEngine On RewriteCond %{REQUEST_URI} ^/url1 [OR] RewriteCond %{REQUEST_URI} ^/url/file.pdf RewriteRule ^ - [E=NO_ROBOTS:1] Header set X-Robots-Tag "noindex, nofollow" env=NO_ROBOTS
Header always
- The Header always directive unconditionally adds a header to every response. Example:
Header always set X-Foo "bar"
Summary
- Header is used for conditional header manipulation based on specified conditions
- Header always unconditionally sets a header in every response
- Header set overwrites the existing value of a header or creates it if it doesn't exist
- Header append adds a new value to an existing header, preserving any existing values
Security headers
HTTP Strict Transport Security (HSTS)
- Apache:
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
- nginx:
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload'
Content Security Policy
- Apache:
Header always set Content-Security-Policy "default-src 'self'; font-src *;img-src * data:; script-src *; style-src *;"
- nginx:
add_header Content-Security-Policy "default-src 'self'; font-src *;img-src * data:; script-src *; style-src *";
- If you want to apply these headers to specific files, please add the add_header line in location block (Nginx) or Header set line in filesMatch block (Apache).
Cross-site scripting (XSS)
- You can implement XSS protection using the three options depending on the specific need.
X-XSS-Protection: 0 : This will disables the filter entirely. X-XSS-Protection: 1 : This will enables the filter but only sanitizes potentially malicious scripts. X-XSS-Protection: 1; mode=block : This will enables the filter and completely blocks the page.
Header set X-XSS-Protection "1; mode=block" add_header X-XSS-Protection "1; mode=block";
There are three ways to configure X-Frame-Options:
DENY : This will disables iframe features completely. SAMEORIGIN : iframe can be used only by someone on the same origin. ALLOW-FROM : This will allows pages to be put in iframes only from specific URLs.
Header always set X-Frame-Options "SAMEORIGIN" add_header X-Frame-Options "SAMEORIGIN";
Header always set X-Content-Type-Options "nosniff" add_header X-Content-Type-Options nosniff;
Header always set Referrer-Policy "strict-origin" add_header Referrer-Policy "strict-origin";
Header always set Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()" add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()";
Secure cookie
- Apache:
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=None
- E.g. allowing iFrame embeds from other sites
- If you want several e.g.
Header always append Content-Security-Policy "frame-ancestors https://full-url-1.com https://full-url-2.com"
- Only from this domain:
Header always set Content-Security-Policy "frame-ancestors 'self' "
- Details: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
- https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/12-Test_for_Content_Security_Policy
- Validate CSP: https://csp-evaluator.withgoogle.com/
- https://blog.sucuri.net/2023/04/how-to-set-up-a-content-security-policy-csp-in-3-steps.html
- Potential issue: https://serverfault.com/questions/916724/421-misdirected-request
- Only from this domain:
- Legacy way:
Header set X-Frame-Options: "ALLOW-FROM SAMEORIGIN, domain1.com, domain2.net"
- https://tecadmin.net/configure-x-frame-options-apache/
- https://stackoverflow.com/questions/38744953/apache-x-frame-options-allow-from-multiple-domains
- https://csp-evaluator.withgoogle.com/
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to
- https://www.sentrium.co.uk/labs/application-security-101-http-headers
- https://serverfault.com/questions/880894/how-can-i-add-in-apache-referrer-policy-header
- https://enable-cors.org/server_apache.html
- https://ubiq.co/tech-blog/set-access-control-allow-origin-cors-headers-apache/
- https://geekflare.com/httponly-secure-cookie-apache/
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
</nowiki>