HTTP Header Security
If you are running on Apache Server, you may consider enabling these HTTP header to improve the security of your website. I use these on my sites. This is valid as of May 2019.
- Header always set X-Frame-Options DENY
- Header always set X-Content-Type-Options nosniff
- Header always set Referrer-Policy strict-origin-when-cross-origin
- Header always unset X-Powered-By
- Header always set X-XSS-Protection "1; mode=block"
- Header always set X-Permitted-Cross-Domain-Policies "none"
- Header always set Report-To "{\"group\":\"default\",\"max_age\":31536000,\"endpoints\":[{\"url\":\"https://ekvastra.report-uri.com/a/d/g\"}],\"include_subdomains\":true}"
- Header always set NEL "{\"report_to\":\"default\",\"max_age\":31536000,\"include_subdomains\":true}"
- Header always set Feature-Policy "camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'"
- Header always set Content-Language "en"
- Header always set Tk N
- Header always unset Pragma
These header values are set by cloudflare proxy:
- Vary
- Expect-CT
- Strict-Transport-Security
- Server
- cf-cache-status
- cf-ray
The following headers are tweaked for each of my sites individually, the following is the setting for notes.ekvastra.in:
- Header always set Access-Control-Allow-Origin https://developer.mozilla.org
- Header always set Content-Security-Policy "default-src 'none'; frame-ancestors 'none'; report-uri https://ekvastra.report-uri.com/r/d/csp/enforce; img-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; object-src 'none'; base-uri 'self'; form-action 'self'"