Headers (Apache)

From DWAMconsult Wiki
Jump to navigation Jump to search
  • Header, Header always, Header set, and Header append are used to manipulate HTTP headers that are sent in the server's response to a client's request

Header

  • The basic Header directive is used to conditionally add or remove headers based on the result of a previous condition (e.g., an if or else statement). Example:
Header set X-Foo "bar" env=production
  • To always set a header, overwriting any existing value for that header:
Header set X-Foo "bar"
  • To append a directive to existing header, without overwriting any existing values:
Header append X-Foo "bar"

Example

RewriteEngine On
RewriteCond %{REQUEST_URI} ^/url1 [OR]
RewriteCond %{REQUEST_URI} ^/url/file.pdf
RewriteRule ^ - [E=NO_ROBOTS:1]

Header set X-Robots-Tag "noindex, nofollow" env=NO_ROBOTS

Header always

  • The Header always directive unconditionally adds a header to every response. Example:
Header always set X-Foo "bar"

Summary

  • Header is used for conditional header manipulation based on specified conditions
  • Header always unconditionally sets a header in every response
  • Header set overwrites the existing value of a header or creates it if it doesn't exist
  • Header append adds a new value to an existing header, preserving any existing values

Security headers

HTTP Strict Transport Security (HSTS)

  • Apache: Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
  • nginx: add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload'

Content Security Policy

  • Apache: Header always set Content-Security-Policy "default-src 'self'; font-src *;img-src * data:; script-src *; style-src *;"
  • nginx: add_header Content-Security-Policy "default-src 'self'; font-src *;img-src * data:; script-src *; style-src *";
  • If you want to apply these headers to specific files, please add the add_header line in location block (Nginx) or Header set line in filesMatch block (Apache).

Cross-site scripting (XSS)

  • You can implement XSS protection using the three options depending on the specific need.

X-XSS-Protection: 0 : This will disables the filter entirely. X-XSS-Protection: 1 : This will enables the filter but only sanitizes potentially malicious scripts. X-XSS-Protection: 1; mode=block : This will enables the filter and completely blocks the page.

Header set X-XSS-Protection "1; mode=block" add_header X-XSS-Protection "1; mode=block";

There are three ways to configure X-Frame-Options:

DENY : This will disables iframe features completely. SAMEORIGIN : iframe can be used only by someone on the same origin. ALLOW-FROM : This will allows pages to be put in iframes only from specific URLs.

Header always set X-Frame-Options "SAMEORIGIN" add_header X-Frame-Options "SAMEORIGIN";

Header always set X-Content-Type-Options "nosniff" add_header X-Content-Type-Options nosniff;

Header always set Referrer-Policy "strict-origin" add_header Referrer-Policy "strict-origin";

Header always set Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()" add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()";

Secure cookie

  • Apache: Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=None


</nowiki>

Retrieved from ‘http://www.dwamconsult.co.uk/wiki/index.php?title=Headers_(Apache)&oldid=14136