Skip to main content

How to add nosniif, CORS, HSTS, Clickjack, and X-Xss-Protection headers on a per domain basis

Eric Delorme
  • Updated

Introduction

If you want to add nosniif, CORS, HTTP Strict-Transport-Security, Clickjack, and X-Xss-Protection headers to a particular user or domain you can add them using the user level Apache includes. It is best to use the Apache includes because they may not get applied when added in .htaccess files.

If you're looking for a document on adding these headers for all domains including the server IP then please refer to: PCI failure - Insecure configuration of Cookie attributes using /etc/apache2/conf.d/includes/pre_main_global.conf instead of user and domain includes below.

 

Procedure

You first need to create the paths for the includes if they do not already exist.

mkdir -p /etc/apache2/conf.d/userdata/std/2_4/USER/DOMAIN.com/
mkdir -p /etc/apache2/conf.d/userdata/ssl/2_4/USER/DOMAIN.com/

Next, you can create a .conf file and place it in either /etc/apache2/conf.d/userdata/ssl/2_4/USER/ to be loaded for all domains under the user USER or you can create a .conf file for just one domain by creating the domains folder under that user and place the .conf file in that folder. In this example, the .conf file will be for headers.conf. 

The files then to create would be uniquely named something like

/etc/apache2/conf.d/userdata/ssl/2_4/USER/DOMAIN.com/headers.conf

and

/etc/apache2/conf.d/userdata/std/2_4/USER/DOMAIN.com/headers.conf

Note: one has std for port 80 and one has ssl for port 443 ssl access

Then in each file put the following content:

<IfModule mod_headers.c>
# Disable content sniffing, since it's an attack vector.
Header always set X-Content-Type-Options "nosniff"
# Disable Proxy header, since it's an attack vector.
RequestHeader unset Proxy
# Add CORS-Header
Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Allow-Methods "GET"
# HSTS
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
# Referrer Policy
Header always set Referrer-Policy "strict-origin-when-cross-origin"
# Clickjack Attack
Header always set X-Frame-Options "SAMEORIGIN"
# X-Xss-Protection
Header always set X-Xss-Protection "1; mode=block"
# Header Injection
Header unset X-Forwarded-Host
</IfModule>
ProxyAddHeaders Off

If you need to make POST requests to other domains, the allowed methods will need to include POST like so.

Header set Access-Control-Allow-Methods "GET, POST"

If you want this included with all accounts and domains then instead

mkdir -p /etc/apache2/conf.d/userdata/

and create a file of

/etc/apache2/conf.d/userdata/headers.conf

with the above contents.

Then we need to rebuild httpd.conf so those includes get added with

/scripts/rebuildhttpdconf

and then APache restart with

/scripts/restartsrv_httpd

Related articles