How to fix website security headers using .htaccess file

To fix website security headers using .htaccess file, you can add the following code snippets in the .htaccess file located in the root directory of your website:

      
Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self';"
      
     
      
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
      
     
      
Header always set X-XSS-Protection "1; mode=block"
      
     
      
Header always set X-Frame-Options "SAMEORIGIN"
      
     
      
Header always set X-Content-Type-Options "nosniff"
      
     
      
Header always set Referrer-Policy "strict-origin-when-cross-origin"
      
     
  1. Implement Content Security Policy (CSP) header:
  2. Implement HTTP Strict Transport Security (HSTS) header:
  3. Implement X-XSS-Protection header:
  4. Implement X-Frame-Options header:
  5. Implement X-Content-Type-Options header:
  6. Implement Referrer-Policy header:

Note: These are just a few security headers you can implement. Depending on your website and security requirements, you may need to implement additional headers.



Header set Content-Security-Policy "upgrade-insecure-requests"
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header set X-Xss-Protection "1; mode=block"
Header always append X-Frame-Options SAMEORIGIN
Header set X-Content-Type-Options "nosniff"
Header set Referrer-Policy "strict-origin-when-cross-origin"
Header set Permissions-Policy "geolocation=self"
Header always edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=Strict


Once you have added these headers to your .htaccess file, save the changes and upload the file to your server. Then, you can use a tool like Security Headers to check whether the headers are being implemented correctly.

Comments

Leave a Reply