How set apache security headers with htaccess?

How set apache security headers with htaccess?

First, you must activate rewrite module.




Ctrl+v this code in terminal.
sudo a2enmod rewrite

If you finished the rewrite activating, You can use htaccess in apache.


  • www to non-www
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
RewriteRule ^(.*)$ http://%1/$1 [R=301,L]
(ex) www.magsty.net -> magsty.net

  • non-www to www (select one of these.)
RewriteEngine On
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]

# Redirect to www
RewriteCond %{HTTP_HOST} ^[^.]+\.[^.]+$
RewriteCond %{HTTPS}s ^on(s)|
RewriteRule ^ http%1://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
(ex) magsty.net -> www.magsty.net


  • 404 custom
And add this code in htaccess
ErrorDocument 404 /error.html
This code means if user gets 404, user goes to /error.html.

ex) user get 404,

view this custom error page

Instead of



  • Let's add hsts header in apache with htaccess!
Header set Strict-Transport-Security "max-age=63072000; includeSubDomains ; preload"
 Write in htaccess.
max-age=63072000 is the time hsts actives.
--------------------------------------------------------------------------
  1. Examine all subdomains (and nested subdomains) of your site and make sure that they work properly over HTTPS.
  2. Add the Strict-Transport-Security header to all HTTPS responses and ramp up the max-age in stages, using the following header values:
    • 5 minutes:
      max-age=300; includeSubDomains
    • 1 week:
      max-age=604800; includeSubDomains
    • 1 month:
      max-age=2592000; includeSubDomains
    During each stage, check for broken pages and monitor your site's metrics (e.g. traffic, revenue). Fix any problems that come up and then wait the full max-age of the stage before you move on. For example, wait a month in the last stage.
  3. Once you're confident that there will be no more issues, increase the max-age to 2 years and submit your site to the preload list:
    • 2 years, requesting to be preloaded:
      max-age=63072000; includeSubDomains; preload
    this explanation is hstspreload.org's explaination.
-------------------------------------------------------------------------
includeSubDomains means include subdomain(like *.magsty.net)

preload supports browsers uses that sites in hstspreload.(Chrome, Firefox, Opera, Safari, IE 11 and Edge)

like this, this configuration works well.

  • Let's add Referrer-Policy header in apache with htaccess!
Header always set Referrer-Policy "same-origin"
 Write in htaccess.

The additional option is
no-referrer
no-referrer-when-downgrade (default)
origin
origin-when-cross-origin
same-origin
strict-origin
strict-origin-when-cross-origin
unsafe-url
------------------------------------------------------------
no-referrer
The Referer header will be omitted entirely. No referrer information is sent along with requests.
no-referrer-when-downgrade (default)
This is the default behavior if no policy is specified, or if the provided value is invalid. The origin, path, and querystring of the URL are sent as a referrer when the protocol security level stays the same (HTTP→HTTP, HTTPS→HTTPS) or improves (HTTP→HTTPS), but isn't sent to less secure destinations (HTTPS→HTTP).
There is effort from browsers in moving to a stricter default value, namely strict-origin-when-cross-origin (see https://github.com/whatwg/fetch/pull/952), consider using this value (or a stricter one), if possible, when changing the Referrer-Policy.
origin
Only send the origin of the document as the referrer.
For example, a document at https://example.com/page.html will send the referrer https://example.com/.
origin-when-cross-origin
Send the origin, path, and query string when performing a same-origin request, but only send the origin of the document for other cases.
same-origin
A referrer will be sent for same-site origins, but cross-origin requests will send no referrer information.
strict-origin
Only send the origin of the document as the referrer when the protocol security level stays the same (HTTPS→HTTPS), but don't send it to a less secure destination (HTTPS→HTTP).
strict-origin-when-cross-origin
Send the origin, path, and querystring when performing a same-origin request, only send the origin when the protocol security level stays the same while performing a cross-origin request (HTTPS→HTTPS), and send no header to any less-secure destinations (HTTPS→HTTP).
unsafe-url
Send the origin, path, and query string when performing any request, regardless of security.

This explaination is mozilla's explaination
------------------------------------------------------------

  • Let's delete .html or .php extension!

1.delete .html extension
RewriteEngine On
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
RewriteCond %{DOCUMENT_ROOT}/$1.html -f 
RewriteRule ^(.+)/?$ /$1.html [L]
(ex) magsty.net/index.html -> magsty.net/index

2.delete .php extension
RewriteEngine On
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
RewriteCond %{DOCUMENT_ROOT}/$1.php -f 
RewriteRule ^(.+)/?$ /$1.php [L]
(ex) magsty.net/index.php -> magsty.net/index

3.delete .jsp extension
RewriteEngine On
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
RewriteCond %{DOCUMENT_ROOT}/$1.jsp -f 
RewriteRule ^(.+)/?$ /$1.jsp [L]
(ex) magsty.net/index.jsp -> magsty.net/index


  • Let's add  X-XSS-Protection in apache with htaccess!
Header set X-XSS-Protection "1; mode=block"
Write in htaccess.


  • Let's add feature-Policy header in apache with htaccess!
Header always set Feature-Policy "microphone 'none'; payment 'none'; sync-xhr 'self' https://yourdomain"
Write in htaccess.


Thanks for watching and write the commet to rewrite request or question



Post a Comment

0 Comments

recent post