This article will explain how you can add Security Headers in Apache. Security headers can be added directly to the .htaccess file of your site. The .htaccess file is typically located in the webroot of your site. A common location in Servebolt would be in the /public/ directory. You can access the .htaccess file by logging into your site using either SFTP or SSH. Editing the .htaccess file should be done by a more technical person, adding a rule wrongly may result in a 500 Internal Server Error. Adding the wrong Security Header to your site may also lead to some functionality not working as expected.

Adding Security Headers:

Security Headers can be added to your .htaccess file. The .htaccess file is parsed from top to bottom, so it is important that you keep that in mind when adding Security Headers.

Example:

The Security Headers added below are only an example of how it can look it on your .htaccess file. Use wisely and only add Security Headers to your site if you know what they do.

# Security Headers
<IfModule mod_headers.c>
Header set Content-Security-Policy "upgrade-insecure-requests"
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header set X-Xss-Protection "1; mode=block"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-Content-Type-Options "nosniff"
Header set Referrer-Policy "strict-origin-when-cross-origin"
Header set Permissions-Policy "geolocation=self"
</IfModule>