Showing posts from November, 2016

Common Apache PHP .htaccess Security Header Updates as of 2016-11-08

These are common .htaccess security header that should be applied to almost all websites.

This is useful for Apache/PHP combination.

Add the following in your .htaccess file:

<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=3600; includeSubdomains;"
Header set X-Frame-Options SAMEORIGIN
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options "nosniff"

        # You can modify the following to allow external (e.g. CDN) javascript
Header set X-Content-Security-Policy "allow 'self';"

        # You can replace "PHP" with "-" to completely hide your PHP version
Header set X-Powered-By "PHP"

Hope it helps someone.