Improve Security & Performance With .htaccess
US Government Site Was Hosting Ransomware
September 1, 2017
CCleaner Malware Incident – What You Need to Know and How to Remove
September 18, 2017
On Apache servers, .htaccess gives you great control over many important aspects of your site. .htaccess enables you to tighten security like (X-Security Header), optimize performance like (Cache Control), configure options, and much more. Also .htaccess works at the server level and can be much faster than scripted solutions.
Here are three .htaccess techniques to increase your site’s security. These techniques add extra security headers to all of your site’s resources. Specifically, this tutorial explains how to add this Headers to protect against cross-site scripting (XSS), page-framing, and content-sniffing. Adding these extra headers is simple and helps to boost the security of your site.
Protect against XSS attacks (X-Security Header)
First up, we want to add an X-Security Header to help protect against XSS. To do soThere are four possible ways you can configure this header.
- Parameter Value “0”: XSS filter disabled
- Parameter Value “1”: XSS filter enabled and sanitized the page if attack detected
- Parameter Value “1;mode=block”: XSS filter enabled and prevented rendering the page if attack detected
- Parameter Value “1;report=http://example.com/report_URI”: XSS filter enabled and reported the violation if attack detected
Let’s implement 1;mode=block To do so, add the following directive to your site’s root .htaccess file:
# X-XSS-Protection <IfModule mod_headers.c> Header set X-XSS-Protection "1; mode=block" </IfModule>
No modifications are required, simply copy/paste and done. This code works by adding the X-XSS-Protection header to your server responses. Most modern web browsers understand this header and will use it to help protect your site against cross-site scripting attacks.
Protect against page-framing and click-jacking (X-Security Header)
Use X-Frame-Options header to prevent Clickjacking vulnerability on your website. By implementing this header, you instruct the browser not to embed your web page in frame/iframe. This has some limitation in browser support, so you got to check before implementing it. You can configure the following three parameters.
- SAMEORIGIN: Frame/iframe of content is only allowed from the same site origin.
- DENY: Prevent any domain to embed your content using frame/iframe.
- ALLOW-FROM: Allow framing the content only on particular URI.
Now to add an X-Security Header to help protect against page-framing and clickjacking add the following directive to your site’s root .htaccess file:
# X-Frame-Options <IfModule mod_headers.c> Header always append X-Frame-Options SAMEORIGIN </IfModule>
No modifications are required, simply copy/paste and done. This code works by adding the X-Frame-Options header to your server responses. Most modern web browsers understand this header and will use it to ensure that your page can be displayed in a frame only if the frame is on the same domain.
Protect against content-sniffing (X-Security Header)
Prevent MIME types security risk by adding this header to your web page’s HTTP response. Having this header instruct browser to consider files types as defined and disallow content sniffing. There is only one parameter you got to add “nosniff”.
To add an X-Security Header to help protect against content-sniffing add the following directive to your site’s root .htaccess file:
# X-Content-Type nosniff <IfModule mod_headers.c> Header set X-Content-Type-Options nosniff </IfModule>
