• Support Home
  • Knowledgebase
  • FAQs
  • Getting Started
  • Support Home
  • Knowledgebase
  • FAQs
  • Getting Started
home/Knowledge Base/Security Best Practices/Fixing Missing HTTP Security Headers
Popular Search:Whitelisting a URL, Google Bot , Migrate Astra

Fixing Missing HTTP Security Headers

July 22, 2019

HTTP Security Headers

Most modern browsers ships with a built in XSS filter. However this setting could be turned off by default. Including the X-XSS-Protection header forces this filter to be enabled, thus providing additional protection against Cross Site Scripting attacks.

Missing Strict Transport Security header means that the application fails to prevent users from connecting to it over unencrypted connections. An attacker able to modify a legitimate user’s network traffic could bypass the application’s use of SSL/TLS encryption, and use the application as a platform for attacks against its users. This attack is performed by rewriting HTTPS links as HTTP, so that if a targeted user follows a link to the site from an HTTP page, their browser never attempts to use an encrypted connection. The sslstrip tool automates this process.

Missing Content-Type header means that this website could be at risk of a MIME-sniffing attacks.

Steps to Fix

X-XSS-Protection

  • For Apache, it is recommended to use the protection provided by XSS filters without the associated risks by using the following code to .htaccess file:
    # X-XSS-Protection
    <IfModule mod_headers.c>
    Header set X-XSS-Protection "1; mode=block"
    </IfModule>
    • For Nginx, add the following code to the nginx configuration: add_header X-XSS-Protection "1; mode=block";

Strick Transport Security

  • The application should instruct web browsers to only access the application using HTTPS.
  • To do this, enable HTTP Strict Transport Security (HSTS) by adding a response header with the name Strict-Transport-Security and the value max-age=expireTime
  • The expireTime is the time in seconds that browsers should remember that the site should only be accessed using HTTPS.

X-Content-Type-Option

  • When serving resources, make sure you send the content-type header to appropriately match the type of the resource being served. For example, if you are serving an HTML page, you should send the HTTP header: Content-Type: text/html
  • For Apache, add the X-Content-Type-Options header with a value of “nosniff” to inform the browser to trust what the site has sent is the appropriate content-type, and to not attempt “sniffing” the real content-type. Add the following code to the .htaccess file:
    # X-Content-Type nosniff
    <IfModule mod_headers.c>
    Header set X-Content-Type-Options nosniff
    </IfModule>
  • For Nginx, add the following code to the nginx configuration: add_header X-Content-Type-Options nosniff;
Tags:Content Type HeaderHSTSHTTP Security HeadersHTTPSnosniffStrict Transport SecurityXSSXSS Protection

Was this helpful?

18 Yes  8 No
Related Articles
  • Why One Gets Hacked Even After Using A Firewall?
  • Fixing Referrer-Policy HTTP header
  • Fixing HTTP to HTTPS Redirection
  • Fixing Subresource Integrity (SRI)
  • Fixing Misconfigured X-Frame-Options
  • Fixing Public Key Pinning Extension for HTTP (HPKP)
Security Best Practices
  • Fixing Missing HTTP Security Headers
  • Why One Gets Hacked Even After Using A Firewall?
  • Fixing Referrer-Policy HTTP header
  • Fixing HTTP to HTTPS Redirection
  • Fixing Subresource Integrity (SRI)
  • Fixing Misconfigured X-Frame-Options
View All 11  
Popular Articles
  • How to install SQLite for PHP on my Apache/nginx server?
  • Fixing Missing HTTP Security Headers
  • How to enable SQLite in your cPanel/hosting account
  • Whitelisting an IP on your website using Astra
  • How to rename admin folder name in OpenCart 1.5 & vQmod?
KB Categories
  • Agency
  • Billing & Payments
  • Community Security
  • Getting Started
  • Malware Scanner
  • Securing OpenCart
  • Security Audit – FAQ
  • Security Best Practices
  • Support
  • ThemeCloud
  • Threats Stopped – FAQ
  • Troubleshoot
  • Using ASTRA Firewall
  • WP Hardening

Astra Website Security

Product
  • Astra Security
  • Pricing
  • Plan Comparison
  • Malware Removal
  • Resources
Solutions
  • Website Malware Cleanup
  • WordPress Security
  • Magento Security
  • OpenCart Security
  • Joomla Security
Join Our Community
  • KnowledgeBase
  • FAQ
  • Getting Started
  • How To Use Astra
  • Support Ticket
  • Privacy Policy
  • Terms of Use
  • © 2020 Astra IT Inc. All Rights Reserved.

Popular Search:Whitelisting a URL, Google Bot , Migrate Astra