Last updated on 25th October 2020
I still use Apache for a web server because of the vast amount of documentation on the web, something I’ve overlooked for a long time are security headers… The more I read about security breaches from other sites the more paranoid I get about the sites I have on the internet.
Enabling Apache security headers is pretty straight forward, first enable the Apache module headers
sudo a2enmod headers
And reload Apache
sudo systemctl restart apache2
You may wish to go into each individual virtual host to enable specific headers for specific sites but in my case I’m going to edit the Apache config which effects every website running.
Open Apache config
sudo nano /etc/apache2/apache2.conf
And add the headers required, there’s drawbacks to certain rules so be careful with what you enable. I don’t have every header enabled as certain headers break WordPress and other web software.
Here are the headers I use, bear in mind that these may not work for your configuration so your mileage may vary!
Header set X-Frame-Options: "SAMEORIGIN" Header always set Strict-Transport-Security "max-age=63072000; Header always set Referrer-Policy "same-origin" Header set X-Content-Type-Options: nosniff Header edit Set-Cookie ^(.*)$ "$1;HttpOnly;Secure"
If you’re unsure on what headers to enable there’s free web tools out there that will you give an explanation as to what headers do what and instructions on how to enable, my favourite is securityheaders.io