Posts

Showing posts from November, 2016

Common Apache PHP .htaccess Security Header Updates as of 2016-11-08

These are common .htaccess security header that should be applied to almost all websites. This is useful for Apache/PHP combination. Add the following in your .htaccess file: <IfModule mod_headers.c>   Header always set Strict-Transport-Security "max-age=3600; includeSubdomains;"   Header set X-Frame-Options SAMEORIGIN   Header set X-XSS-Protection "1; mode=block"   Header set X-Content-Type-Options "nosniff"         # You can modify the following to allow external (e.g. CDN) javascript   Header set X-Content-Security-Policy "allow 'self';"         # You can replace "PHP" with "-" to completely hide your PHP version   Header set X-Powered-By "PHP" </IfModule> Hope it helps someone.