Using .htaccess file to implement Security Headers

Rovertek · March 24, 2017, 4:35pm

Hi, @schoen and others,

Recently, I got a SSL certificate from “Let’s Encrypt”. I put my ‘https’ website through the observatory.mozilla.org set of tests and I got a wide range of results: from “F” to “A+”.

I have used advice given to me on this forum and after adding “HSTS" rules to my .htaccess file, my test results improved (“E” to “A+”). Then, I also added “Content-Security-Policy”, but that did not change my ratings any further.

So, my question is whether “Content-Security-Policy” rules can be implemented by way of .htaccess file, or must they be implemented server-wide to take effect? Same question applies to “X-Frame Options”, “X-XSS-Protection”, “X-Content-Type-Options”, “Referrer-Policy” and “Public-Key-Pins”?

Thank you very much, in advance…

Osiris · March 24, 2017, 5:31pm

A+ is the maximum rating on SSL Labs (currently).

I would say you should implement those headers site-wide. Obviously, if you manage all the sites on the server and would like to implement the same headers for all sites, you can implement them server-wide.

Public key pinning isn't something you should "just do", because it can make your site unusable. For example, the default behaviour of the certbot client is to use a different keypair for every certificate. Thus, if you would only pin the end leaf certificate (which isn't advisable in the first place) and you would renew your certificate, your site would be unusable for clients implementing public key pinning.

Rovertek · March 24, 2017, 7:19pm

I was referring to my "E" rating at the Observatory.[quote="Osiris, post:2, topic:30590"]
Obviously, if you manage all the sites on the server and would like to implement the same headers for all sites, you can implement them server-wide.
[/quote]

I forgot to mention that I am just an amateur website-builder. I got nothing to do with server managing (besides uploading/deleting files in my own domain space on the server). That's why I would be happiest if I could use my .htaccess file to implement all those security headers.[quote="Osiris, post:2, topic:30590"]
Public key pinning...
[/quote]

Thanks for this warning. I will probably stop implementation when I get the most important headers in place (HSTS, Content-Security-Policy and X-Frame-Options).

schoen · March 24, 2017, 7:34pm

Sorry, @Rovertek, I haven’t implemented these, so I don’t know where they can be set.

Rovertek · March 25, 2017, 1:02am

I’d like to proudly mention that my latest security measures moved my score on the Observatory up from “E” to “A+”.

My warmest “thank you” to all members of this forum who helped me understand what I was doing and why…

EDIT: I should add that all my security rules are included in my .htaccess file, so they do not affect other sites on the same shared-hosting plan.

system · April 24, 2017, 1:03am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.