How To Implement Security Headers In Apache

How to Implement Security Headers in Apache

Securing your Apache web server is crucial for protecting your website and users. One effective way to enhance security is by implementing proper security headers. This guide will walk you through the process step by step.

Step 1: Open Apache Configuration

Connect to your server and open your Apache configuration file. This is typically located at /etc/apache2/apache2.conf or /etc/httpd/conf/httpd.conf.

sudo nano /etc/apache2/apache2.conf

Step 2: Add Security Headers

Insert the following lines at the appropriate location in your Apache configuration file to add security headers:

  1. Open the Apache configuration file (Linux server): sudo nano /etc/httpd/conf/httpd.conf
    • On a Windows server, you can use a text editor such as Notepad to open the file located at "C:\Program Files\Apache Software Foundation\Apache2.2\conf\httpd.conf".
  2. Add headers to the config file:
      3. Header always set X-XSS-Protection: "1; mode=block"
      Header always set X-Content-Type-Options: "nosniff"
      Header always set X-Frame-Options: "SAMEORIGIN"
      Header always set Content-Security-Policy: "default-src 'self'"
      Header always set Referrer-Policy: "strict-origin-when-cross-origin"
      Header always set Strict-Transport-Security: "max-age=31536000; includeSubDomains; preload"
  3. For more information regarding Content-Security-Policy, Please view our guide on How to implement Content-Security-Policy Security Headers in Apache

Step 4: Save and Restart Apache

Save your changes and restart Apache to apply the new configuration:

sudo systemctl restart apache2

Step 5: Verify Configuration

Ensure that the security headers are applied correctly by visiting your website and checking the response headers using browser developer tools or online security header checking tools.