Security Headers
1 min read

Security Headers

I still use Apache for a web server because of the vast amount of documentation on the web, something I’ve overlooked for a long time are security headers… The more I read about security breaches from other sites the more paranoid I get about the sites I have on the internet.

Enabling Apache security headers is pretty straight forward, first enable the Apache module headers

sudo a2enmod headers

And reload Apache

sudo systemctl restart apache2

You may wish to go into each individual virtual host to enable specific headers for specific sites but in my case I’m going to edit the Apache config which effects every website running.

Open Apache config

sudo nano /etc/apache2/apache2.conf

And add the headers required, there’s drawbacks to certain rules so be careful with what you enable. I don’t have every header enabled as certain headers break WordPress and other web software.

Here are the headers I use, bear in mind that these may not work for your configuration so your mileage may vary!

Header set X-Frame-Options: "SAMEORIGIN"
Header always set Strict-Transport-Security "max-age=63072000;
Header always set Referrer-Policy "same-origin"
Header set X-Content-Type-Options: nosniff
Header edit Set-Cookie ^(.*)$ "$1;HttpOnly;Secure"

If you’re unsure on what headers to enable there’s free web tools out there that will you give an explanation as to what headers do what and instructions on how to enable, my favourite is