HTTP Security Headers are used to block or allow requests in a web server. They are directives to the browser telling it how to handle the content it is serving.

HTTP Security Headers are one of the ways to ensure that your website is secure. This means that you can take proactive measures to protect your site against various threats like phishing, malware, and more.

There are two main types of HTTP Security Headers:

The first type is called “HTTP Public-Key-Pins” (HPKP). These tell the browser which certificate the site uses and what host it should trust.

The second type of HTTP Security Header is called “HTTP Strict-Transport-Security” (HSTS). These tell the browser to always use HTTPS and never use HTTP.

Since these HTTP Security Headers tell browsers how to handle certain requests, it is important to know what they are and how they work in order to protect your website from intruders.

How do HTTP Security Headers work?

HTTP Security Headers are a set of instructions sent by web servers to browsers, which enable them to enforce security. This is done by configuring the security policies for the browser, which blocks any malicious content. It’s important to note that these headers enable you to configure your browser to block cookies, scripts, and other content.

The benefit of using HTTP Security Headers is that they are browser-specific. This means that they can be used by both desktop and mobile browsers. These Security Headers help you reduce loading time and makes sure that your website is more secure.

Note:  To check your website security header just go to these sites and paste your website URL.   or

Why the ‘HTTP Security Header’ Is Important for Web Security

Many people know that your website needs to be secure. Hackers are always looking for ways to break into websites, and it’s important to be vigilant about security. One of the most effective ways to keep intruders out is by using HTTP Security Headers. They are a set of instructions sent by web servers to browsers, which enable them to enforce security. This article will show you what HTTP Security Headers are, how they work, and why they are so important when it comes to web security.

Types of security headers

HTTP Security Headers are a set of instructions that are sent by web servers to browsers, which enable them to enforce security. They are very important when it comes to web security, and there are three different types of HTTP Security Headers:

X-Frame-Options (XFO):  The XFO header is used to specify whether or not a page should be prevented from being rendered inside a frame. This prevents clickjacking and other framing attacks.

By implementing the below code to the top of your .htaccess file you’ll ad the ‘X Frame Options’ response header to your site and will only allow your site to be framed by your own domain name.

IfModule mod_headers.c>
Header set X-Frame-Options "sameorigin"
<IfModule mod_headers.c>

X-XSS-Protection (XXSSP): The XXSSP header is used to specify the level of protection against cross-site scripting. It can be set up to protect against various levels of scripting vulnerabilities. It is another simple security header and is widely used by all huge sites such as GitHub, Facebook and Google.

By adding this below lines of code of your .htaccess file will enable the XSS filter and add another layer of security to your site:

<IfModule mod_headers.c>

Header set X-XSS-Protection "1; mode=block"

<IfModule mod_headers.c>

X Content Type Options:  The ‘X Content Type Options’ response header instructs web browsers to disable MIME and content crawling. This prevents attacks like ‘MIME confusion attacks’. It reduces your website’s vulnerability to Drive by download attacks and prevents your server from loading malicious content. who disguises himself with clever names.

Add this below code to your .htaccess file to enable this security

<IfModule mod_headers.c>

Header set X-Content-Type-Options "nosniff"

<IfModule mod_headers.c>

X Permitted Cross Domain Policies:  This policy prevents misuse of Adobe resources on your website, such as:  PDF and Flash. By adding the following htaccess snippet you will prevent hotlinks and prevent resource abuse by other websites trying to load your site assets.

<IfModule mod_headers.c>

Header set X-Permitted-Cross-Domain-Policies "none"

<IfModule mod_headers.c>

Strict Transport Security:  The strict transport security header forces the web browser to ensure that all communication is sent over a secure https connection. If your website has mixed content, the implementation will damage your website. Make sure all urls are provided in the .htaccess file.

<IfModule mod_headers.c>

Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

<IfModule mod_headers.c>

Content Security Policy (CSP): CSPs are used to specify the domains, scripts, and other content that should be allowed on a page. This can be used to prevent clickjacking, CSS injection, and other types of attacks.

Unfortunately, it’s also one of the most difficult guidelines to implement and has the greatest potential to spoil the look and feel of your website if implemented incorrectly. In short, there is no easy way to implement this policy into your .htaccess file without extensive testing.

The “Content Security Policy” controls which host URLs (domain names) can interact with your site. Hence, any third-party URL that is present in your website’s plugins or extensions should be added to your content security policy and then the appropriate rules applied to it.

The first step is to document all of the external URLs in your site’s source code. You can then use a CSP generator to create guidelines for each external URL. There is a great content security generator here:

What makes it difficult is that your site also uses external URLs in its JavaScript functions that you may not necessarily see in the source code. For example, Analytics can enter 5 different external URLs on your website. which cannot be easily recognized in the source code, but it is possible to introduce a very rudimentary ‘Content Security Policy’ with the following code, which simply forces all external URLs to use the https protocol. it’s still better than not having a guideline, and also allows all of the inline JavaScript and CSS to work too.

<IfModule mod_headers.c>

Header set Content-Security-Policy "default-src * data:; script-src https: 'unsafe-inline' 'unsafe-eval'; style-src https: 'unsafe-inline'"

<IfModule mod_headers.c>

Referrer Policy Header Response:  The ‘Referral Policy’ heading controls what information is sent to the following site each time a link is clicked on your site. Its purpose is to prevent the use of reverse tab napping in phishing attacks.

If an external link has the attribute target = “_ blank”, value offers partial access to the referring page via the ‘window.opener object’. A referring policy helps prevent phishing attacks by restricting access to the ‘window.opener object ‘ .

some options when setting the Correct ‘Referrer Policy’ – and you should be careful not to set too strict guidelines when your website uses affiliate links.

The below option is what I use for most of my sites:

<IfModule mod_headers.c>

Header set Referrer-Policy "no-referrer-when-downgrade"

<IfModule mod_headers.c>

Feature Policy: The Feature Policies security heading controls which features the web browser can use while users are on your site or viewing your site through any iframe. There is a long list of features used by web browsers such as geolocation, microphones and cameras, etc. The “Features Policy” controls which of these features can be used on your website and which source URLs they can control.

<IfModule mod_headers.c>

Header set Feature-Policy "camera 'none'; fullscreen 'self'; geolocation *; microphone 'self' https://www.example/*"

<IfModule mod_headers.c>

Expect CT policy: The Expect CT header policy instructs web browsers to report or enforce certificate transparency requirements. This can stop incorrectly issued SSL certificates and can be configured in report mode or application mode. Without ‘Expect CT’ it will be much easier for attackers to exploit lost certificates, so if you set it up in forced mode, make sure that everything is set up correctly with your SSL. On the majority of my sites I use the full enforce mode as per the below example:

<IfModule mod_headers.c>

Header set Expect-CT: enforce, max-age=31536000, report-uri=""

<IfModule mod_headers.c>

You can also just use the report only mode like this:

<IfModule mod_headers.c>

Header set Expect-CT: max-age=31536000, report-uri=""

<IfModule mod_headers.c>


I hope this article has helped you understand HTTP Security Headers and why they’re so important for web security. Security is an ongoing process and we’re always looking for ways to improve it. If your website facing security issue then apply all these steps. Also If you discover any vulnerabilities in your site, I encourage you to contact with me so that I can help!

Leave a Reply