Apache – How to setup the httpd.conf file to send HTTP Security Headers with your web site (and score an A on securityheaders.io) How to setup the httpd.conf to secure all your Apache-hosted websites with the required HTTP Security Headers and get A rate from securityheaders.io scan.

IIS - How to setup the web.config file to send HTTP Security Headers with your web site (and score an A on securityheaders.io)

We already explained the basics about HTTP Security Headers in this previous post: it’s now time to put these concepts into action and implement them within our Apache-based web site so we can protect our valuable web sites from most hideous threats.

If you need to do that with a Windows + IIS-enabled web server, read here instead; to do that with Nginx, read here instead.

The first thing we should do is check our website before making any change, to get a grip of how things currently are. Here are some websites that we can use to scan our web site:

Our personal favourite is the first one, as it also has a nice rating system that might help us to understand how protected we are (or not). If your website has no security headers, you’ll most likely end up with a severe F rating, just like the following screenshot:

Apache - How to setup the httpd.conf file to send HTTP Security Headers with your web site (and score an A on securityheaders.io)

We know, this is our site! We temporarily deactivated everything to be able to get a screenshot that could show the worst possible outcome. If that’s your scenario as well, don’t worry: you’re 1 minute away from ranking up to A !

Here’s the relevant snippet to place within your    file:

That’s about it. These settings are loose enough for most web sites while keeping a strong level of security: you shouldn’t have issues with any standard website based upon WordPress, Joomla, Drupal and so on. You can put these lines at the   root level, so that the headers will be applied to all the web sites served by Apache, or inside a   entry in case you want to apply them to a single web site / virtual host.

In case you need a more relaxed content security policy – for example, if you have media, applets or unsafe scripts & styles – you can tweak that specific line. Here’s an example accepting basically everything:

Don’t get us wrong, we’re not suggesting using it in any way! However, whenever a given scenario would force us to accept anything, having a super-permissive policy it’s still better than having none.

And here’s our scan after implementing all of the above:

Apache - How to setup the httpd.conf file to send HTTP Security Headers with your web site (and score an A on securityheaders.io)

That’s it! In case you need to do the same with a Windows + IIS-enabled web server, read here instead; to do that with Nginx, read here instead.

I sincerely hope that this post will help you to improve the security level of your web site as well.

 

About Ryan

IT Project Manager, Web Interface Architect and Lead Developer for many high-traffic web sites & services hosted in Italy and Europe. Since 2010 it's also a lead designer for many App and games for Android, iOS and Windows Phone mobile devices for a number of italian companies. Microsoft MVP for Development Technologies since 2018.

View all posts by Ryan

0 Comments on “Apache – How to setup the httpd.conf file to send HTTP Security Headers with your web site (and score an A on securityheaders.io) How to setup the httpd.conf to secure all your Apache-hosted websites with the required HTTP Security Headers and get A rate from securityheaders.io scan.

  1. Pingback: IIS - Setup web.config to send HTTP Security Headers for your Web Site
  2. Pingback: HTTP Security Headers overview and setup guide for IIS, Apache, Nginx

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.