Introduction
If you want to add nosniif, CORS, HTTP Strict-Transport-Security, Clickjack, and X-Xss-Protection headers to a particular user or domain you can add them using the user-level Apache includes. It is best to use the Apache includes because they may not get applied when added in .htaccess files.
If you're looking for a document on adding these headers for all domains, including the server IP, then please refer to:
PCI failure - Insecure configuration of Cookie attributes
Procedure
In the below examples, USER is the cPanel username and example.tld is replaced with your domain name.
- Create the paths for the includes if they do not already exist.
mkdir -p /etc/apache2/conf.d/userdata/std/2_4/USER/example.tld/
mkdir -p /etc/apache2/conf.d/userdata/ssl/2_4/USER/example.tld/
- Create a .conf file and place it in either /etc/apache2/conf.d/userdata/ssl/2_4/USER/ to be loaded for all domains under the user, or you can create a .conf file for just one domain by creating the domains folder under that user and place the .conf file in that folder. In this example, the .conf file will be for headers.conf. The files then created would be uniquely named something like:
/etc/apache2/conf.d/userdata/ssl/2_4/USER/DOMAIN.com/headers.conf
/etc/apache2/conf.d/userdata/std/2_4/USER/DOMAIN.com/headers.conf
Note: one has std for port 80 and the other ssl for port 443 - In each file put the following content:
<IfModule mod_headers.c>
# Disable content sniffing, since it's an attack vector.
Header always set X-Content-Type-Options "nosniff"
# Disable Proxy header, since it's an attack vector.
RequestHeader unset Proxy
# Add CORS-Header
Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Allow-Methods "GET"
# HSTS
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
# Referrer Policy
Header always set Referrer-Policy "strict-origin-when-cross-origin"
# Clickjack Attack
Header always set X-Frame-Options "SAMEORIGIN"
# X-Xss-Protection
Header always set X-Xss-Protection "1; mode=block"
# Header Injection
Header unset X-Forwarded-Host
</IfModule>
ProxyAddHeaders Off - If you need to make POST requests to other domains, the allowed methods will need to include POST:
Header set Access-Control-Allow-Methods "GET, POST"
- Rebuild httpd.conf, to add the includes:
/scripts/rebuildhttpdconf
- Then restart Apache, so the new configuration is loaded:
/scripts/restartsrv_httpd