HTTP Security Headers

How to Prevent Website by implementing HTTP Security Header

According to the security best practice, its very important to configure security headers as an additional layer of security to protect our website to get hacked.

Below are some descriptions and the recommendation to implement HTTP Security Headers.

Before implementation, please check the website should be in HTTPS otherwise it might blocked. Once the implementation has been done you can also check or verify the headers with the below provided URL:

Ensure that the Mod_header must be enabled to implement these heads in APACHE.

LoadModule headers_module modules/

Lets Begin😊

HTTP Strict Transport Security

HSTS (HTTP Strict Transport Security) header to ensure that all communication happened from a browser is sent over HTTPS.

max-age=<expire-time>: The time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS. Max-age=3153600(1 year)

includeSubDomains (Optional) :If this optional parameter is specified, this rule applies to all of the site’s subdomains as well.

preload (Optional): The service is hosted by Google, all browsers have stated an intent to use (or actually started using) the preload list. it is not part of the HSTS specification and should not be treated as official.


Strict-Transport-Security: max-age=<expire-time>

Strict-Transport-Security: max-age=<expire-time>; includeSubDomains

Strict-Transport-Security: max-age=<expire-time>; preload

Apache HTTP Server

You can implement HSTS in Apache by Opening the <Apache>/conf/httpd.conf file in a text editor.

Uncomment the header module:

LoadModule headers_module modules/

Add a header:

Header set Strict-Transport-Security “max-age=31536000; includeSubDomains; preload”


Header always set Strict-Transport-Security “max-age=63072000; includeSubdomains; preload”

Restart Apache


Open the <Tomcat>/conf/web.xml file in a text editor.

Uncomment the httpHeaderSecurity filter definition and the <filter-mapping> section, and then add the hstsMaxAgeSeconds parameter, as shown below.









Save the file & Restart Tomcat.


To configure HSTS in Nginx, add the entry in nginx.conf under server (SSL) directive

add_header Strict-Transport-Security ‘max-age=31536000; includeSubDomains; preload’;

restart Nginx


For Cloudflare, you can enable HSTS with below implementation:

Log in to Cloudflare and select the site

Go to the “Crypto” tab and click “Enable HSTS.”

click on save and it set.

Microsoft IIS

Open IIS Manager and add the header by going to “HTTP Response Headers”.

Click ok and restart the server.


X-Frame-Options header is used to prevent clickjacking attack on your website. By implementing this header, the browser will not embed your web page in iframe.


X-Frame-Options: DENY

X-Frame-Options: SAMEORIGIN

DENY: The page cannot be displayed in a frame, regardless of the site attempting to do so.

SAMEORIGIN: The page can only be displayed in a frame on the same origin as the page itself.

ALLOW-FROM uri: This is an obsolete directive that no longer works in modern browsers. Don’t use it. In supporting legacy browsers, a page can be displayed in a frame only on the specified origin URI.


Add the below line in httpd.conf and restart the webserver.

Header always append X-Frame-Options SAMEORIGIN


Header always set X-Frame-Options “SAMEORIGIN”


Header set X-Frame-Options “SAMEORIGIN”


Add the below line in nginx.conf under server directive/block.

add_header X-Frame-Options “SAMEORIGIN”;


Create an iRule




Now restart to apply


Add the below in a wp-config.php file or you can also use the WP plugins.

header(‘X-Frame-Options: SAMEORIGIN);

Microsoft IIS

You configure IIS to send the X-Frame-Options header, add this in Web.config file




<add name=”X-Frame-Options” value=”SAMEORIGIN” />





Add the header by going to “HTTP Response Headers”.

click ok and restart.


The X-Content-Type-Options response HTTP header is used by the server to indicate that the MIME types advertised in the Content-Type headers should be followed and not be changed or in simple it prevent MIME security risk. The header allows you to avoid MIME type sniffing by saying that the MIME types are deliberately configured.

no sniff: Blocks a request if the request destination is of type style and the MIME type is not text/css, or of type script


You can do this by adding the below line in httpd.conf file

Header set X-Content-Type-Options nosniff


Header always set X-Content-Type-Options nosniff

restart the Apache server.


Add the below line in nginx.conf file under server block.

add_header X-Content-Type-Options nosniff;

restart the server

Microsoft IIS

You can do this in Web.config but IIS Manager is just as easy.

Open IIS Manager and on the left hand tree, left click the site you would like to manage.

Double click the “HTTP Response Headers” icon.Right click the header list and select “Add”

For the “name” write “X-Content-Type-Options” and for the value “nosniff”

Click OK and Restart

Content Security Policy

Content Protection Policy (CSP) is a security standard that provides an additional layer of protection from cross-site scripting (XSS), clickjacking, and other code injection attacks. CSP instruct browser to load allowed content to load on the website.


Content-Security-Policy: default-src ‘self’ *

Content-Security-Policy: default-src *; script-src * *


Add the below line in httpd.conf file and restart the webserver

Header set Content-Security-Policy “default-src ‘self’;”


Header always set Content-Security-Policy “default-src ‘self’;”


Add the below line in nginx.conf file

add_header Content-Security-Policy “default-src ‘self’;”;

Microsoft IIS

Go to HTTP Response Headers for your respective site in IIS Manager and add the following


Use GUI or add the below in your web.config:

<add name="Content-Security-Policy" value="default-src 'self';" />



It is simply a user-defined set of permitted data access rules encapsulated in a crossdomain. xml file. It is only viable on servers that communicate via HTTP, HTTPS, or FTP. A cross-domain policy file is an XML document that grants a web client permission to handle data across one or more domains.


Add the below line in httpd.conf

Header set X-Permitted-Cross-Domain-Policies “none”


Add the following in nginx.conf under server block.

add_header X-Permitted-Cross-Domain-Policies master-only;


Referrer-Policy is a security header that can (and should) be included on communication from your website’s server to a client. The Referrer-Policy tells the web-browser how to handle referrer information that is sent to websites when a user clicks a link that leads to another page or website.


Referrer-Policy: no-referrerReferrer-Policy: no-referrer-when-downgradeReferrer-Policy: originReferrer-Policy: origin-when-cross-originReferrer-Policy: same-originReferrer-Policy: strict-originReferrer-Policy: strict-origin-when-cross-originReferrer-Policy: unsafe-url


Add the followingline in httpd.conf if you want to set no-referrer.

Header set Referrer-Policy “no-referrer”

Restart the server


Add the below Line:

add_header Referrer-Policy same-origin;

Restart it again.

Microsoft IIS

On the site pane, under IIS, double-click HTTP Response Headers.

Name: Permissions-Policy

Value: “vibrate ‘none’


Permission Policy header is a security header that controls which browser features can be used. Besides implementing these rules for your own content it can also prevent external iframes from using these browser features, making it a powerful header to secure your site.


Add the below line in httpd.conf file

Header always set Permissions-Policy “fullscreen ‘none’ “


Header set Permissions-Policy “fullscreen ‘none’ “


Header always set Permissions-Policy “fullscreen ‘none’; microphone ‘none’”

Restart Apache


Add the following in nginx.conf under server block.

add_header Permissions-Policy “vibrate ‘none’;”;

for disable geo location, camer & speaker:

add_header Permissions-Policy “geolocation ‘none’; camera ‘none’; speaker ‘none’;”;

Restarting Nginx

Microsoft IIS

On the site pane, under IIS, double-click HTTP Response Headers.

Now follow the below image to add security header


Thanks for reading and I hope it helps in implementation 😊



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store