1. Home
  2. Security Hardening
  3. Headers
  4. How to Configure Security Headers
Searching...

How to Configure Security Headers

Contents

Deploying security headers involves configuring the web server to include specific HTTP response headers in its responses. The process varies depending on the web server software being used (e.g., Apache, Nginx, Microsoft IIS) and the server’s configuration.

Four Steps to Deploy Security headers

Here are general steps for deploying security headers:

  1. Identify Web Server Software Being Used
  2. Understand Security Headers Options
  3. Configure Headers in Server Configuration
  4. Test Configuration
  5. Adjust and Monitor

General Web Server Configurations

Where you configure the header options will be dictated by the web server being used. Here are the two files dictated by the server:

Server TypeFile
Apachehttpd.conf
NGINXnginx.conf

Configure Apache

If using Apache, you will add the appropriate directive to the httpd.conf. Here is an example using Strict-Transport-Security (HSTS):

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

Here is an example of multiple headers in Apache

<IfModule mod_headers.c>

    # Enable Strict-Transport-Security (HSTS)
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

    # Enable Content-Security-Policy (CSP)
    Header always set Content-Security-Policy "default-src 'self'; script-src 'self' example.com;"

    # Enable X-Content-Type-Options
    Header always set X-Content-Type-Options "nosniff"

    # Enable X-Frame-Options
    Header always set X-Frame-Options "DENY"

    # Enable X-XSS-Protection
    Header always set X-XSS-Protection "1; mode=block"

</IfModule>

Configure NGINX

If using NGINX, you will add the appropriate directive to the nginx.conf. Here is an example using Strict-Transport-Security (HSTS):

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

Here is an example of multiple headers in NGINX:

server {
    listen 80;
    server_name example.com;

    # Add security headers
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
    add_header Content-Security-Policy "default-src 'self'; script-src 'self' example.com;";
    add_header X-Content-Type-Options "nosniff";
    add_header X-Frame-Options "DENY";
    add_header X-XSS-Protection "1; mode=block";

    # ... other Nginx configuration settings ...
}
Updated on December 13, 2023
Was this article helpful?
Yes No

Related Articles

Need Support?
Can’t find the answer you’re looking for? Don’t worry we’re here to help!
Email: support@noc.org