How to fix website security headers using .htaccess file
To fix website security headers using .htaccess
file, you can add the following code snippets in the .htaccess
file located in the root directory of your website:
Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self';"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
- Implement Content Security Policy (CSP) header:
- Implement HTTP Strict Transport Security (HSTS) header:
- Implement X-XSS-Protection header:
- Implement X-Frame-Options header:
- Implement X-Content-Type-Options header:
- Implement Referrer-Policy header:
Note: These are just a few security headers you can implement. Depending on your website and security requirements, you may need to implement additional headers.
Header set Content-Security-Policy "upgrade-insecure-requests"
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header set X-Xss-Protection "1; mode=block"
Header always append X-Frame-Options SAMEORIGIN
Header set X-Content-Type-Options "nosniff"
Header set Referrer-Policy "strict-origin-when-cross-origin"
Header set Permissions-Policy "geolocation=self"
Header always edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=Strict
Once you have added these headers to your .htaccess
file, save the changes and upload the file to your server. Then, you can use a tool like Security Headers to check whether the headers are being implemented correctly.