Recently, I got a SSL certificate from “Let’s Encrypt”. I put my ‘https’ website through the observatory.mozilla.org set of tests and I got a wide range of results: from “F” to “A+”.
I have used advice given to me on this forum and after adding “HSTS" rules to my .htaccess file, my test results improved (“E” to “A+”). Then, I also added “Content-Security-Policy”, but that did not change my ratings any further.
So, my question is whether “Content-Security-Policy” rules can be implemented by way of .htaccess file, or must they be implemented server-wide to take effect? Same question applies to “X-Frame Options”, “X-XSS-Protection”, “X-Content-Type-Options”, “Referrer-Policy” and “Public-Key-Pins”?
I would say you should implement those headers site-wide. Obviously, if you manage all the sites on the server and would like to implement the same headers for all sites, you can implement them server-wide.
Public key pinning isn't something you should "just do", because it can make your site unusable. For example, the default behaviour of the certbot client is to use a different keypair for every certificate. Thus, if you would only pin the end leaf certificate (which isn't advisable in the first place) and you would renew your certificate, your site would be unusable for clients implementing public key pinning.
I was referring to my "E" rating at the Observatory.[quote="Osiris, post:2, topic:30590"]
Obviously, if you manage all the sites on the server and would like to implement the same headers for all sites, you can implement them server-wide.
[/quote]
I forgot to mention that I am just an amateur website-builder. I got nothing to do with server managing (besides uploading/deleting files in my own domain space on the server). That's why I would be happiest if I could use my .htaccess file to implement all those security headers.[quote="Osiris, post:2, topic:30590"]
Public key pinning...
[/quote]
Thanks for this warning. I will probably stop implementation when I get the most important headers in place (HSTS, Content-Security-Policy and X-Frame-Options).