HostingDomainsEmailSSLPricingSupport
Login to Client Area Get Started Free
πŸ“– Knowledge Base

How Can We
Help You?

Browse guides, tutorials and troubleshooting articles for all our services.

Enhancing Website Security with .htaccess Security Headers

41 views

Enhancing Website Security with .htaccess Security Headers

Modern websites face a wide range of threats, including cross‑site scripting (XSS), clickjacking, data leakage, and session hijacking. Apache’s .htaccess file provides a powerful way to harden your website at the server level without modifying application code. By applying security headers, enforcing HTTPS, and controlling how browsers load resources, you can significantly improve your website’s security posture.

1. Core Security Headers

Security headers instruct the browser how to handle content, connections, and permissions. These headers are lightweight, effective, and safe for nearly all websites.

Strict‑Transport‑Security (HSTS)

Forces browsers to use HTTPS and prevents protocol downgrade attacks.

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

X‑Frame‑Options

Prevents your site from being embedded in iframes on other domains, protecting against clickjacking.

Header always set X-Frame-Options "SAMEORIGIN"

X‑Content‑Type‑Options

Stops browsers from MIME‑sniffing files, reducing injection risks.

Header always set X-Content-Type-Options "nosniff"

X‑XSS‑Protection

Provides basic XSS filtering for older browsers.

Header always set X-XSS-Protection "1; mode=block"

Referrer‑Policy

Controls how much information is shared when users navigate away from your site.

Header always set Referrer-Policy "strict-origin-when-cross-origin"

Permissions‑Policy

Disables unused browser features to reduce attack surface.

Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"

2. Content Security Policy (CSP)

CSP is one of the strongest defenses against XSS. It controls which scripts, styles, images, and connections the browser is allowed to load.

A strict CSP requires nonces or hashes, but many websites rely on inline scripts or third‑party services. The configuration below is a balanced, globally compatible CSP that works for most setups.

Stable, Compatible CSP Example

Header set Content-Security-Policy "
    default-src 'self';
    script-src 'self' 'unsafe-inline' 'unsafe-eval' https:;
    style-src 'self' 'unsafe-inline' https:;
    img-src 'self' data: https:;
    font-src 'self' https:;
    connect-src 'self' https:;
    frame-src 'self' https:;
    object-src 'none';
    base-uri 'self';
    manifest-src 'self';
    media-src 'self';
    worker-src 'self';
"

What this CSP allows

  • Your own domain
  • All HTTPS resources
  • Inline scripts and styles (required by many CMS platforms)
  • Third‑party services such as analytics, chat widgets, CDNs, and fonts

What this CSP blocks

  • Mixed content
  • Inline objects (Flash, Java applets)
  • Unauthorized frames
  • Untrusted HTTP resources

This CSP is a safe starting point for global use. Websites that need stricter control can later migrate to nonce‑based CSP.

3. Secure Cookie Settings

Cookies are a common attack vector. Strengthening them helps prevent session hijacking and cross‑site request forgery.

Recommended Cookie Settings (PHP or .user.ini)

session.cookie_secure = 1
session.cookie_httponly = 1
session.cookie_samesite = Strict
session.cookie_path = /

Strongest Option: Host‑Prefix Cookies

session_name("__Host-SESSIONID");

This enforces:

  • Secure
  • HttpOnly
  • SameSite
  • Path=/
  • No domain attribute

4. Preventing Sensitive Page Caching

Login pages, dashboards, and admin areas should never be cached.

Header always set Cache-Control "no-store, no-cache, must-revalidate"
Header always set Pragma "no-cache"

5. Optional: Cross‑Origin Isolation (Advanced)

Headers like COEP, COOP, and CORP enable advanced browser features but can break third‑party services unless carefully configured.

Use only if your site is fully self‑hosted:

Header always set Cross-Origin-Opener-Policy "same-origin"
Header always set Cross-Origin-Embedder-Policy "require-corp"
Header always set Cross-Origin-Resource-Policy "same-origin"

Most websites should avoid these unless they control all external resources.

6. Combined .htaccess Security Block

This block provides a strong, globally compatible security baseline.

<IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-XSS-Protection "1; mode=block"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"
    Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https:; style-src 'self' 'unsafe-inline' https:; img-src 'self' data: https:; font-src 'self' https:; connect-src 'self' https:; frame-src 'self' https:; object-src 'none'; base-uri 'self'; manifest-src 'self'; media-src 'self'; worker-src 'self';"
</IfModule>

Summary

Enhancing website security with .htaccess is one of the most effective ways to protect your site without modifying application code. By applying security headers, enforcing HTTPS, controlling resource loading, and hardening cookies, you create a strong defensive layer against modern web threats.

This guide provides a globally compatible configuration suitable for most websites, with optional advanced features for those who need them.

Can't Find What You're Looking For?

Our support team is available 24/7 to help. Open a ticket and we'll get back to you as soon as possible.

Open a Ticket Contact Us