Security headers in HTML site

headersI’ve written about the wonderful mechanism of securing your WordPress site a bit more with Security Headers before. I still think it’s pretty awesome, all these small things to make your site a bit more secure. Well, now I needed these headers for a one page HTML site.

It’s definitely not hard but you just have to know where to put what. What I easy now and a bit harder for a WordPress site, is the Content Security Policy. Since I only have a static one page HTML site with everything hosted on the same server, I can configure this policy without breaking my site AND receive an A+ status.

Configure Security Headers

Just navigate to the root of your one page HTML site and edit the .htaccess. I’ve tested this on a Apache based server. For Nginx and others, the syntax will be different.

Anyway, at the bottom of your .htaccess, add these lines for a solid configuration:

# BEGIN HTTP Headers
<IfModule mod_headers.c>
Header always set X-Content-Type-Options "nosniff"
<FilesMatch "\.(php|html)$">
Header unset X-Powered-By
Header always set Access-Control-Allow-Credentials "true"
Header always set Access-Control-Allow-Methods "GET, POST, OPTIONS"
Header always set Access-Control-Allow-Headers "Origin"
Header always set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self'; connect-src 'self'; object-src 'self'; frame-src 'self';"
Header always set Expect-CT 'max-age=2592000, enforce, report-uri="https://scotthelme.report-uri.io/r/default/ct/enforce"'
Header always set P3P 'CP="CAO PSA OUR"'
Header always set Referrer-Policy "no-referrer-when-downgrade"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains”
Header always set X-Frame-Options "DENY"
Header always set X-XSS-Protection "1; mode=block"
Header always set X-UA-Compatible "IE=edge,chrome=1"
</FilesMatch>
</IfModule>
# END HTTP Headers

# BEGIN Cookie Security
php_flag session.cookie_httponly on
php_flag session.cookie_secure on
# END Cookie Security

The cookie bit is a bonus. This is all! Your website should be good, check again at https://securityheaders.io.

More locations

If you have multiple sites, you don’t need to put everything in the .htaccess, but gaving it some thought, I decided to put it there anyway.

You can put parts of this code in the httpd.conf but also your virtual hosts configuration. What I though was the problem in this setup, is that some settings are just site specific. For instance, the Content Security Policy. It can be that one site has everything on the same server where another site needs to get images from another server, for example.

Another problem could be, that you have to restart your Apache server when you edit your configuration files, where editing your .htaccess file is being picked up by a simple browser reload.

In any case, I’ve tested this by removing the code from the .htaccess file and putting it in my virtual hosts configuration file and this works just as great. It really depends on your setup, needs and possibilities that decides where to put the code.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.