Security Headers seems to be one of the most skipped steps in just about every configuration out there. We have listed the minimum security headers config that should be included in every instance of Apache. Security Headers (to work against sniffing and manipulating our own content) are a whole topic to itself on how to control the connection with clients. Not to mention, what we could possibly to do anyone using header manipulation to injection all sorts of fun. Apache module and header manipulation is truly an art form that seemingly very few people understand. This is where the majority of the security work and tweaking comes into play in order to stay ahead of the curve. There are so many lovely options for headers and how to use them.
We are using headers to deal with things like:
Header Syntax usage: Header [condition] add|append|echo|edit|edit*|merge|set|setifempty|unset|note
Header [[expr=]value [replacement] [early|env=[!]varname|expr=expression] <--When we desire to alter our headers behavior
The below chart breaks down the top million requested websites - Scott Helme performed this very interesting study about the lack of Security Header use in the top million requested website's. The results for Februay 2019 came in. Whilst things didn't look too great in the first scan back in 2016, the rate of improvement being shown is incredible! These numbers are still a long way from where we'd like to see them but all of the metrics are showing considerable progress. Scott Helme Security Headers Test- securityheaders.io
We do not recommend using security headers as a global configuration and will not show an alternative way of using them.
<IfModule mod_headers.c> Header unset ETag FileETag None Header unset Server Header always set X-Content-Type-Options "nosniff" Header always set X-XSS-Protection "1; mode=block" Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure Header always set Referrer-Policy "no-referrer-when-downgrade" Header always set Feature-Policy "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none' " Header set X-Frame-Options DENY Header set Cache-Control:public, max-age=31536000 Header set MyHeader "Feel safe zombiesecured headers in use!!! It took %D microseconds for Zombiesecured to serve this request on %t" </IfModule>
systemctl restart apache2
Test results June 20th, 2019 - Image courtesy of Securityheaders.io