Skip to main content

How to add nosniif, CORS, HSTS, Clickjack, and X-Xss-Protection headers on a per domain basis

Eric Delorme
  • Updated

Introduction

If you want to add nosniif, CORS, HTTP Strict-Transport-Security, Clickjack, and X-Xss-Protection headers to a particular user or domain you can add them using the user-level Apache includes. It is best to use the Apache includes because they may not get applied when added in .htaccess files.

If you're looking for a document on adding these headers for all domains, including the server IP, then please refer to:

PCI failure - Insecure configuration of Cookie attributes

 

Procedure

In the below examples, USER is the cPanel username and example.tld is replaced with your domain name.

  1. Create the paths for the includes if they do not already exist. 
    mkdir -p /etc/apache2/conf.d/userdata/std/2_4/USER/example.tld/
    mkdir -p /etc/apache2/conf.d/userdata/ssl/2_4/USER/example.tld/
  2. Create a .conf file and place it in either /etc/apache2/conf.d/userdata/ssl/2_4/USER/ to be loaded for all domains under the user, or you can create a .conf file for just one domain by creating the domains folder under that user and place the .conf file in that folder. In this example, the .conf file will be for headers.conf. The files then created would be uniquely named something like: 
    /etc/apache2/conf.d/userdata/ssl/2_4/USER/DOMAIN.com/headers.conf
    /etc/apache2/conf.d/userdata/std/2_4/USER/DOMAIN.com/headers.conf
    Note: one has std for port 80 and the other ssl for port 443
  3. In each file put the following content:
    <IfModule mod_headers.c>
    # Disable content sniffing, since it's an attack vector.
    Header always set X-Content-Type-Options "nosniff"
    # Disable Proxy header, since it's an attack vector.
    RequestHeader unset Proxy
    # Add CORS-Header
    Header set Access-Control-Allow-Origin "*"
    Header set Access-Control-Allow-Methods "GET"
    # HSTS
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
    # Referrer Policy
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    # Clickjack Attack
    Header always set X-Frame-Options "SAMEORIGIN"
    # X-Xss-Protection
    Header always set X-Xss-Protection "1; mode=block"
    # Header Injection
    Header unset X-Forwarded-Host
    </IfModule>
    ProxyAddHeaders Off
  4. If you need to make POST requests to other domains, the allowed methods will need to include POST: 
    Header set Access-Control-Allow-Methods "GET, POST"
  5. Rebuild httpd.conf, to add the includes:
    /scripts/rebuildhttpdconf
  6. Then restart Apache, so the new configuration is loaded: 
    /scripts/restartsrv_httpd

Related articles

Comments

0 comments

Article is closed for comments.