How set apache security headers with htaccess?
First, you must activate rewrite module.
Ctrl+v this code in terminal.
sudo a2enmod rewrite
If you finished the rewrite activating, You can use htaccess in apache.
- www to non-www
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
RewriteRule ^(.*)$ http://%1/$1 [R=301,L]
(ex) www.magsty.net -> magsty.net
- non-www to www (select one of these.)
RewriteEngine On
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]
# Redirect to www
RewriteCond %{HTTP_HOST} ^[^.]+\.[^.]+$
RewriteCond %{HTTPS}s ^on(s)|
RewriteRule ^ http%1://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
(ex) magsty.net -> www.magsty.net
- 404 custom
And add this code in htaccess
ErrorDocument 404 /error.html
This code means if user gets 404, user goes to /error.html.
ex) user get 404,
view this custom error page
Instead of
- Let's add hsts header in apache with htaccess!
Header set Strict-Transport-Security "max-age=63072000; includeSubDomains ; preload"
Write in htaccess.
max-age=63072000 is the time hsts actives.
--------------------------------------------------------------------------
- Examine all subdomains (and nested subdomains) of your site and make sure that they work properly over HTTPS.
- Add the
Strict-Transport-Security
header to all HTTPS responses and ramp up themax-age
in stages, using the following header values:-
5 minutes:
max-age=300; includeSubDomains
-
1 week:
max-age=604800; includeSubDomains
-
1 month:
max-age=2592000; includeSubDomains
max-age
of the stage before you move on. For example, wait a month in the last stage. -
5 minutes:
- Once you're confident that there will be no more issues, increase the
max-age
to 2 years and submit your site to the preload list:-
2 years, requesting to be preloaded:
max-age=63072000; includeSubDomains; preload
this explanation is hstspreload.org's explaination.
-
2 years, requesting to be preloaded:
-------------------------------------------------------------------------
includeSubDomains means include subdomain(like *.magsty.net)
includeSubDomains means include subdomain(like *.magsty.net)
preload supports browsers uses that sites in hstspreload.(Chrome, Firefox, Opera, Safari, IE 11 and Edge)
like this, this configuration works well.
- Let's add Referrer-Policy header in apache with htaccess!
Header always set Referrer-Policy "same-origin"
Write in htaccess.
The additional option is
no-referrer
no-referrer-when-downgrade
(default)origin
origin-when-cross-origin
same-origin
strict-origin
strict-origin-when-cross-origin
unsafe-url
------------------------------------------------------------
no-referrer
- The
Referer
header will be omitted entirely. No referrer information is sent along with requests. no-referrer-when-downgrade
(default)- This is the default behavior if no policy is specified, or if the provided value is invalid. The origin, path, and querystring
of the URL are sent as a referrer when the protocol security level
stays the same (HTTP→HTTP, HTTPS→HTTPS) or improves (HTTP→HTTPS), but
isn't sent to less secure destinations (HTTPS→HTTP).
There is effort from browsers in moving to a stricter default value, namely
strict-origin-when-cross-origin
(see https://github.com/whatwg/fetch/pull/952), consider using this value (or a stricter one), if possible, when changing the Referrer-Policy. origin
- Only send the origin of the document as the referrer.
For example, a document athttps://example.com/page.html
will send the referrerhttps://example.com/
. origin-when-cross-origin
- Send the origin, path, and query string when performing a same-origin request, but only send the origin of the document for other cases.
same-origin
- A referrer will be sent for same-site origins, but cross-origin requests will send no referrer information.
strict-origin
- Only send the origin of the document as the referrer when the protocol security level stays the same (HTTPS→HTTPS), but don't send it to a less secure destination (HTTPS→HTTP).
strict-origin-when-cross-origin
- Send the origin, path, and querystring when performing a same-origin request, only send the origin when the protocol security level stays the same while performing a cross-origin request (HTTPS→HTTPS), and send no header to any less-secure destinations (HTTPS→HTTP).
unsafe-url
- Send the origin, path, and query string when performing any request, regardless of security.
This explaination is mozilla's explaination
------------------------------------------------------------- Let's delete .html or .php extension!
1.delete .html extension
(ex) magsty.net/index.html -> magsty.net/index
2.delete .php extension
(ex) magsty.net/index.php -> magsty.net/index
3.delete .jsp extension
(ex) magsty.net/index.jsp -> magsty.net/index
RewriteEngine On
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
RewriteCond %{DOCUMENT_ROOT}/$1.html -f
RewriteRule ^(.+)/?$ /$1.html [L]
2.delete .php extension
RewriteEngine On
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
RewriteCond %{DOCUMENT_ROOT}/$1.php -f
RewriteRule ^(.+)/?$ /$1.php [L]
3.delete .jsp extension
RewriteEngine On
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
RewriteCond %{DOCUMENT_ROOT}/$1.jsp -f
RewriteRule ^(.+)/?$ /$1.jsp [L]
- Let's add X-XSS-Protection in apache with htaccess!
Header set X-XSS-Protection "1; mode=block"
Write in htaccess.
- Let's add feature-Policy header in apache with htaccess!
Header always set Feature-Policy "microphone 'none'; payment 'none'; sync-xhr 'self' https://yourdomain"
Write in htaccess.
Thanks for watching and write the commet to rewrite request or question
0 Comments