HTTP Header Security

If you are running on Apache Server, you may consider enabling these HTTP header to improve the security of your website. I use these on my sites. This is valid as of May 2019.

  • Header always set X-Frame-Options DENY
  • Header always set X-Content-Type-Options nosniff
  • Header always set Referrer-Policy strict-origin-when-cross-origin
  • Header always unset X-Powered-By
  • Header always set X-XSS-Protection "1; mode=block; report=https://ekvastra.report-uri.com/r/d/xss/enforce"
  • Header always set X-Permitted-Cross-Domain-Policies "none"
  • Header always set Report-To "{\"group\":\"default\",\"max_age\":31536000,\"endpoints\":[{\"url\":\"https://ekvastra.report-uri.com/a/d/g\"}],\"include_subdomains\":true}"
  • Header always set NEL "{\"report_to\":\"default\",\"max_age\":31536000,\"include_subdomains\":true}"
  • Header always set Feature-Policy "camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'"
  • Header always set Content-Language "en, hi, sa"
  • Header always set Tk N

These header values are set by cloudflare proxy:

  • Vary
  • Expect-CT
  • Strict-Transport-Security
  • Server

The following headers are tweaked for each of my sites individually, the following is the setting for notes.ekvastra.in: