HTTP security headers are your first line of defence against all sorts of threats. They tell browsers how to behave, preventing common attacks like clickjacking, cross-site scripting (XSS) and man-in-the-middle attacks. While server-level configuration offers robust control, for many website owners, especially those on shared hosting, editing the .htaccess file provides a great solution.

Firstly, check your own headers here https://smecyber.co.uk/url-checker/
Most likely you are missing some if not all. If you don’t have them all – read on!

Why .htaccess is Your Security Ally

.htaccess is a simple text file that sits in your website’s root directory. This means you can add, modify, or remove security headers without needing root access to the server. For those using shared hosting, where direct server access is often limited, this is a essential.

The key benefit? Speed and simplicity. If you need to quickly implement essential security measures, .htaccess allows you to do so with minimal fuss. A few lines of code, and you’ve significantly hardened your website’s defences.

Here’s a quick example of a .htaccess file with some common security headers:

<IfModule mod_headers.c>
    Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
    Header set X-Frame-Options "SAMEORIGIN"
    Header set X-Content-Type-Options "nosniff"
    Header set X-XSS-Protection "1; mode=block"
    Header set Referrer-Policy "strict-origin-when-cross-origin"
    Header set Permissions-Policy "geolocation=(), microphone=()"
</IfModule>

Breaking it Down:

• <IfModule mod_headers.c>: This ensures that the mod_headers module (which allows you to set HTTP headers) is enabled on your server.
• Strict-Transport-Security (HSTS): Forces browsers to use HTTPS, preventing protocol downgrade attacks.
• X-Frame-Options: Prevents clickjacking by controlling whether your site can be embedded in an <iframe>.
• X-Content-Type-Options: Prevents MIME sniffing, which can lead to security vulnerabilities.
• X-XSS-Protection: Enables the browser’s XSS filter.
• Referrer-Policy: Controls how much referrer information is sent with requests.
• Permissions-Policy: controls browser API usage.

Simply copy this code into your .htaccess file, save it and upload it to your website’s root directory. Within moments, your site will have a significant security boost.

The Bigger Picture: Other Configuration Methods

While .htaccess is convenient, it’s important to acknowledge that server-level configuration offers greater control and performance. When you configure headers directly in your web server’s main configuration files (like httpd.conf for Apache or nginx.conf for Nginx), the server processes these directives only once at startup, rather than on every request. This reduces overhead and improves performance.

However, server-level configuration requires administrator access, which is not always available. In such cases, .htaccess remains the most practical solution.

In conclusion, for quick and easy implementation of essential HTTP security headers, .htaccess is a powerful tool. It allows you to enhance your website’s security without needing in-depth server knowledge. While server-level configuration offers performance advantages, .htaccess provides a user-friendly and accessible alternative for many website owners. Always remember to thoroughly test your site after making any configuration changes.

Now, go here https://smecyber.co.uk/url-checker/ and check again. You should sleep better tonight!

NB: this is not exhaustive and may change.
You could also add

Header set Content-Security-Policy “default-src ‘self’; script-src ‘self’; style-src ‘self’; img-src ‘self’;”

however this may mess with some external resources such as CDNs or some analytics.

Always run a back up before changing any configurations.