Implement http security headers on webserver

Md. Mahim Bin Firoj
3 min readSep 18


Nowadays more websites are compromised and the data are exposed to the hackers or in the dark web. Most of these incidents are due to misconfiguration or lack of protection from the server or system team. Because from the system side they just want for the website to work only. Security is not their concern. As a result they open very silly silly flaws which could lead dangerous thing in future.

Also in PCI DSS ASV vulnerabilities mitigation, we need to implement http security headers feature to mitigate some of the common web related vulnerabilities.

We will implement some security features on our server side and based on that client browser will commucate with us securely.

The following are the websites to check whether you have implemented security headers properly or not:

Implementing HTTP Security Headers in Apache or Lightspeed

First backup your .htaccess file. We are doing this on Apache 2.4 server.

We can either implement it via the /etc/httpd/conf/httpd.conf (service restart required) file or .htaccess file. Here we are implementing via .htaccess file.

Before going for it, apply it on your demo server and check everything works fine or not. Then apply in production.

Header always set Strict-Transport-Security "max-age=31536000;"
Header always set x-xss-protection "1; mode=block"
Header always set x-frame-options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set Cache-Control "max-age=2628000, public"
Header always set Referrer-Policy "no-referrer-when-downgrade"
Header always set Content-Security-Policy "upgrade-insecure-requests"
Header always set Permissions-Policy "geolocation=(); midi=();notifications=();>

Go to your /var/www/webserverdirectory and open .htaccess file. Then place the above line of codes there.

Make sure you have headers installed in your web server if you have access to it.

Implementing HTTP Security Headers in NGINX

Add the following Lines to your nginx.conf file (usually located /etc/nginx/nginx.conf). Be sure to check the details of the lines to be sure these are the policies you wish to restrict.

add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
add_header X-Frame-Options 'deny';
add_header X-Content-Type-Options nosniff;
add_header Content-Security-Policy "img-src 'self' data:;";
add_header X-Permitted-Cross-Domain-Policies master-only;
add_header Referrer-Policy same-origin;
add_header Permissions-Policy "vibrate 'none';";
add_header Clear-Site-Data "cookies";

Implementing security headers on your website or webserver will prevent attackers from probing your server to see if there are any vulnerablities they can exploit. As well, it will prevent giving the hackers more information about your network, which then they can continue to probe further, looking for a security hole to exploit.

Reference links:

Thanks. Please Subscribe below.





Md. Mahim Bin Firoj