How to use HTTP headers to prevent vulnerabilities
- Transfer
- Recovery mode

Did you know that in most cases, a security vulnerability can be fixed by adding the necessary response headers?
Security is just as important as content or search engine optimization. Thousands of sites are being hacked due to configuration errors or inadequate protection. If you are a site owner or information security specialist, and are interested in protecting the site from clickjacking, code injection, MIME type vulnerabilities, XSS attacks , etc., then this instruction will be useful to you.
In this article, I’ll talk about different HTTP headers for use with various web servers, network peripherals, or content delivery networks to increase site security .
Remarks:
- Before making changes, I advise you to backup the configuration file;
- Some headers may not be supported on all browsers, so you should check compatibility before execution ;
- Mod_headers must be enabled in Apache to use these headers. The following line should be uncommented in the httpd.conf file: LoadModule headers_module modules / mod_headers.so
If you use SUCURI Cloud WAF , then you do not have to worry about setting up the server manually, most of the parameters are already automatically enabled.
HTTP Header List
X-XSS-Protection
HTTP Strict Transport Security
X-frame-options
X-Content-Type-Options
HTTP Public Key Pinning
Content Security Policy
X-XSS-Protection
The X-XSS-Protection header can prevent some XSS attacks (cross-site scripting), it is compatible with IE 8+, Chrome, Opera, Safari and Android.
Google, Facebook, Github use this heading, and most penetration prevention consultants will recommend you use it.
There are four configuration options:
| Parameter value | Content |
|---|---|
| 0 | XSS filter off |
| 1 | The XSS filter is enabled, and if an attack is detected, the page is censored |
| 1; mode = block | The XSS filter is turned on and, in the event of an attack, prevents page processing |
| 1; report = http: //example.com/report_URI | The XSS filter is turned on, and if an attack is detected, a violation report is sent |
Let's use 1; mode = block for the following web servers.
Apache HTTP Server
Add the following entry in the httpd.conf of your Apache server:
Header set X-XSS-Protection “1; mode=block”Restart Apache to verify.
Nginx
Add the following to nginx.conf in the HTTP section:
add_header X-XSS-Protection "1; mode=block";You must restart Nginx so that the changes are reflected in the response header of your site.
Maxcdn
If you use MaxCDN , then adding a title is as easy as shelling pears . Go to Edge Rules, click “New Rule” and select “Add X-XSS-Protection Header” from the drop-down list.

Microsoft IIS
- Open IIS Manager;
- Select the site for which you want to include a heading;
- Go to “HTTP Response Headers”
- Click “Add” in the action section.
- Enter a name, value and click OK.

- Restart IIS to see the results.
HTTP Strict Transport Security
The HSTS (HTTP Strict Transport Security) header ensures that all communication from the browser is over HTTPS (HTTP Secure). This prevents attempts to bypass HTTPS and redirects all HTTP requests to HTTPS.
Before adding this title, make sure that all pages of the site are accessible via HTTPS, otherwise they will not be displayed.
The HSTS header is compatible with the latest versions of most browsers (IE, Firefox, Opera, Safari and Chrome). There are three configuration options.
| Parameter value | Content |
|---|---|
| max age | The interval (in seconds) to indicate to the browser that requests should only be sent via HTTPS. |
| includeSubDomains | Configuration applies to subdomains. |
| preload | Use if you want to add a domain to a predefined list of HSTS . |
As an example, let's configure HSTS for a year and add the domain and subdomains to the predefined list of HSTS.
Apache HTTP Server
To use HSTS in Apache, add the following entry to the httpd.conf file:
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"Restart Apache to see the result.
Nginx
To configure HSTS in Nginx, add the following entry to nginx.conf in the Server directive (SSL):
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';As always, you will have to restart Nginx for verification.
Cloud flare
If you use Cloud Flare, you can enable HSTS in just a couple of mouse clicks.
- Log in to Cloud Flare and select the desired site.
- Go to the “Crypto” tab and click “Enable HSTS.”

Select the settings you need, and the changes will take effect immediately.
Microsoft IIS
Launch IIS Manager and add the header by going to “HTTP response headers” for the corresponding site.

Restart the site.
X-frame-options
Title X-Frame-Options to reduce the vulnerability of your site for the Click-Jacking -atak. This heading instructs the browser not to load your page in frame / iframe. Not all browsers support this option, so check the title for compatibility before adding it.
There are three configuration options.
| Parameter value | Content |
|---|---|
| SAMEORIGIN | Allows loading content in frame / iframe only if the frame and the page loading it are located on the same domain. |
| DENY | Prevents loading content in frame / iframe. |
| ALLOW-FROM | Allows loading content in frames only for a specific URI. |
Let's look at how to add a “ DENY ” configuration to prevent embedding.
Apache
Add the following line to httpd.conf and reload the web server to verify:
Header always append X-Frame-Options DENYNginx
Add the following to nginx.conf in the Server directive:
add_header X-Frame-Options “DENY”;A reboot is required to verify the results.
F5 LTM
Create the following iRule for the corresponding virtual server:
when HTTP_RESPONSE {
HTTP::header insert "X-FRAME-OPTIONS" "DENY"
}You do not need to reboot anything, changes occur automatically.
Wordpress
This title can also be used in WordPress. Add the following to the wp-config.php file:
header(‘X-Frame-Options: DENY’);If you do not want to make changes to the file, then you can use the plugin according to this instruction .
Microsoft IIS
To add a header, open “HTTP response headers” for the corresponding site.

In order for the changes to appear, you need to restart the site.
X-Content-Type-Options
You can prevent attacks using MIME type spoofing by adding this HTTP response header. The header contains instructions for determining the type of file and does not allow sniffing of content. When configuring, you only need to add one parameter: “nosniff”.
Let's see how to add this header.
Apache
Add the following line to the httpd.conf file:
Header set X-Content-Type-Options nosniffRemember to restart the Apache web server for the configuration to take effect.
Nginx
Add the following line to the nginx.conf file in the Server directive:
add_header X-Content-Type-Options nosniff;As usual, you will need to restart Nginx to check the results.
Wordpress
If you use WordPress, then you can use the Security Headers plugin to use this header.
Microsoft IIS
Open IIS and go to the “HTTP response headers” section.
Click “Add,” enter a name and value.

Click OK and restart IIS to verify the result.
HTTP Public Key Pinning
Reduce the risk of a MITM attack (“man in the middle”) with certificate binding. To do this, add the HPKP (HTTP Public Key Pinning) header .
You can bind a public key root certificate or an intermediate certificate. At the time of writing, HPKP support is provided in Firefox and Chrome with the SHA-256 hash algorithm .
There are four configuration options.
| Parameter value | Content |
|---|---|
| report-uri = ”url” | Send the report to a specific URL if the link did not succeed. This is an optional parameter. |
| pin-sha256 = ”sha256key” | Define a binding. |
| max-age = | The instructions for the browser to remember the time in seconds during which the site will be accessible only using one of the attached certificates. |
| IncludeSubDomains | Apply for subdomains. |
As an example, let's look at the HPKP header for facebook.com:
public-key-pins-report-only:max-age=500; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E="; pin-sha256="q4PO2G2cbkZhZ82+JgmRUyGMoAeozA+BSXVXQWB8XWQ="; report-uri=http://reports.fb.com/hpkp/If you intend to use this on your site, I recommend referring to the manual written by Scott Helme .
Content Security Policy
To prevent XSS attacks, clickjacking, and code injection , you can add a Content Security Policy (CSP) response header. CSP contains instructions for downloading content from authorized sources.
Not all browsers support CSP , so you'll have to check this before using. There are three options for using CSP headers:
- Content-Security-Policy - Level 2 / 1.0;
- X-Content-Security-Policy - not recommended;
- X-Webkit-CSP - not recommended.
If you are still using an outdated option, then you should think about switching to an updated one.
You can set many parameters for the CSP header, and you can learn them at OWASP . I propose to consider the two most common.
| Parameter value | Content |
|---|---|
| default-src | Download everything from a specific source. |
| script-src | Download only scripts from a specific source. |
Consider the permission to download any content from the current domain for different web servers.
Apache
Add the following line to the httpd.conf file and restart the web server:
Header set Content-Security-Policy "default-src 'self';"Nginx
Add the following to the Server section in the nginx.conf file:
add_header Content-Security-Policy "default-src 'self';";Microsoft IIS
Go to the "HTTP response headers" for the corresponding site in IIS Manager and add the following settings:

I hope that the instructions for using the headers will allow you to increase the safety and security of your web application. If you are looking for a secure IIS web server, then pay attention to WebKnight WAF , where you can implement the above configurations and more.
The last paragraph,
we will be glad to see you among the visitors of HOSTING.cafe (search for virtual servers , shared hosting and not only) or POISK.hosting (collection of reviews about hosters).