On Apache servers, .htaccess gives you great control over many important aspects of your site. .htaccess enables you to tighten security like (X-Security Header), optimize performance like (Cache Control), configure options, and much more. Also .htaccess works at the server level and can be much faster than scripted solutions.
Here are three .htaccess techniques to increase your site’s security. These techniques add extra security headers to all of your site’s resources. Specifically, this tutorial explains how to add this Headers to protect against cross-site scripting (XSS), page-framing, and content-sniffing. Adding these extra headers is simple and helps to boost the security of your site.
First up, we want to add an X-Security Header to help protect against XSS. To do soThere are four possible ways you can configure this header.
Let’s implement 1;mode=block To do so, add the following directive to your site’s root .htaccess file:
# X-XSS-Protection <IfModule mod_headers.c> Header set X-XSS-Protection "1; mode=block" </IfModule>
No modifications are required, simply copy/paste and done. This code works by adding the X-XSS-Protection header to your server responses. Most modern web browsers understand this header and will use it to help protect your site against cross-site scripting attacks.
Use X-Frame-Options header to prevent Clickjacking vulnerability on your website. By implementing this header, you instruct the browser not to embed your web page in frame/iframe. This has some limitation in browser support, so you got to check before implementing it. You can configure the following three parameters.
Now to add an X-Security Header to help protect against page-framing and clickjacking add the following directive to your site’s root .htaccess file:
# X-Frame-Options <IfModule mod_headers.c> Header always append X-Frame-Options SAMEORIGIN </IfModule>
No modifications are required, simply copy/paste and done. This code works by adding the X-Frame-Options header to your server responses. Most modern web browsers understand this header and will use it to ensure that your page can be displayed in a frame only if the frame is on the same domain.
Prevent MIME types security risk by adding this header to your web page’s HTTP response. Having this header instruct browser to consider files types as defined and disallow content sniffing. There is only one parameter you got to add “nosniff”.
To add an X-Security Header to help protect against content-sniffing add the following directive to your site’s root .htaccess file:
# X-Content-Type nosniff <IfModule mod_headers.c> Header set X-Content-Type-Options nosniff </IfModule>