Securityheaders in ssl.conf

Guide to implementing essential security headers in your Apache ssl.conf or virtual host configuration.

Pre-requisites

Ensure mod_headers is enabled in Apache:

sudo a2enmod headers
sudo systemctl restart apache2

Recommended Configuration

Add these lines to your /etc/apache2/mods-enabled/ssl.conf or your specific <VirtualHost *:443> block.

<IfModule mod_headers.c>
    # 1. HSTS (Global HTTPS enforcement)
    # Tells browsers to ONLY use HTTPS for the next 2 years, including subdomains.
    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"

    # 2. X-Frame-Options
    # Prevents clickjacking by forbidding frames from other sites.
    Header always set X-Frame-Options "SAMEORIGIN"

    # 3. X-Content-Type-Options
    # Prevents MIME-sniffing exploits.
    Header always set X-Content-Type-Options "nosniff"

    # 4. Referrer Policy
    # Controls how much referrer info is sent to other sites.
    Header always set Referrer-Policy "strict-origin-when-cross-origin"

    # 5. Content Security Policy (Basic)
    # Prevents XSS by restricting source of content. Adjust 'self' as needed.
    # Warning: Test this carefully before enabling!
    # Header always set Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'"

    # 6. Permissions Policy (formerly Feature-Policy)
    # Disables sensitive features like camera/mic.
    Header always set Permissions-Policy "geolocation=(), midi=(), sync-xhr=(), microphone=(), camera=(), magnetometer=(), gyroscope=(), fullscreen=(self), payment=()"

    # Remove Server version banner (Security by Obscurity)
    Header unset Server
    Header unset X-Powered-By
</IfModule>

Explanation of Headers

Strict-Transport-Security (HSTS)

• max-age=63072000: 2 years in seconds.
• includeSubDomains: Applies to blog.example.com too.
• preload: Allows submission to Chrome's HSTS preload list.

X-Frame-Options

• SAMEORIGIN: Only your site can frame your site.
• DENY: No one can frame your site.

X-Content-Type-Options

• nosniff: Forces browser to respect the Content-Type header sent by server.

Referrer-Policy

• strict-origin-when-cross-origin: Sends full URL to same site, only domain to others, no referrer to HTTP.

Restart Apache

After editing configurations, always restart Apache:

sudo apachectl configtest  # Check for syntax errors
sudo systemctl restart apache2

Verify Your Headers

Check your score at SecurityHeaders.com. You should aim for an A+.