You can implement XSS protection using the three options depending on the specific need. This header stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. XSS Filter is enabled by default in modern web browser such as, Chrome, IE, and Safari. X-XSS also known as Cross Site Scripting header is used to defend against Cross-Site Scripting attacks. Note: If you want to apply these headers to specific files, please add the add_header line in location block (Nginx) or Header set line in filesMatch block (Apache). You can also implement CSP in Nginx by adding the following entry in /etc/nginx/sites-enabled/nf file:Īdd_header Content-Security-Policy "default-src 'self' font-src * img-src * data: script-src * style-src *"
Header always set Content-Security-Policy "default-src 'self' font-src * img-src * data: script-src * style-src * " You can implement CSP in Apache by adding the following entry in /etc/apache2/sites-enabled/nf file:
All major browsers currently offer full or partial support for content security policy. CSP instruct browser to load allowed content to load on the website. It is very powerful header aims to prevent XSS and data injection attacks. The Content-Security-Policy header is an improved version of the X-XSS-Protection header and provides an additional layer of security.
Save the file then restart Nginx to implement the changes. You can also implement HSTS in Nginx by adding the following entry in /etc/nginx/sites-enabled/nf file:Īdd_header Strict-Transport-Security 'max-age=31536000 includeSubDomains preload' Save the file then restart the Apache service to apply the changes. Header set Strict-Transport-Security "max-age=31536000 includeSubDomains preload" You can implement HSTS in Apache by adding the following entry in /etc/apache2/sites-enabled/nf file: This is because an attacker may intercept HTTP connections and inject the header or remove it. The Strict-Transport-Security header is ignored by the browser when your website is accessed over HTTP. Currently all major web browsers support HTTP strict transport security. This will prevents web browsers from accessing web servers over non-HTTPS connections. This header instructs a user agent to only use HTTPs connections and it also declared by Strict-Transport-Security. So if you add headers inside any location, files will apply only headers inside location block and global headers will not works for these types of files. There are six most important security headers that you should be aware of and we recommend implementing if possible.īe careful, these headers are applying globaly in server if you want to change to specific files please add headers inside a location (nginx) or filesMatch (apache) block. These headers will help you to outline communication and improve web security. When you use the web and interacts with websites, your browser stores its information.
It also tell your browser how to behave when handling your website's content. These headers contains meta data, status error codes, cache rules and more. The web server then responds with HTTP Response Headers. When you visit any website from your web browser, your browser requests it from the web server where the web site is hosted on. HTTP security headers are very important part of website security as it protect you against different types of attacks including, XSS, SQL injection, clickjacking, etc. How to configure Security Headers in Nginx and Apache.Setting Cache control headers for common content types Nginx and Apache.