Home » Blog » HTTP Headers » How to Protect WebSites Against Attackers or Hackers by using “X-Security Headers”

.htaccess File

How to Protect WebSites Against Attackers or Hackers by using “X-Security Headers”

X-Security Headers are the header part of a Hypertext Transfer Protocol (HTTP) request and response messages. It passes additional information with the request and response between the client (browser) and the web server.

Published

5 years ago

July 23, 2018

TwinzTech

Table of Contents

1. What are X-Security Headers?

X-Security Headers are the header part of a Hypertext Transfer Protocol (HTTP) request and response messages. They define the operating parameters of an HTTP transaction. It passes additional information with the request and response between the client (browser) and the web server. It is an integral part of HTTP requests and responses. X-Security Headers are also said as HTTP headers.

By using .htaccess techniques to increase your website’s security. X-Security Headers are protecting against cross-site scripting (XSS) attacks, Clickjacking (UI redress attack) attacks, Reducing MIME Type Security Risks, etc.

2. Most Popular Names of the X-Security Headers

X-XSS-Protection
X-Frame-Options
X-Content-Type-Options

a) Protect Against cross-site scripting (XSS) Attacks

Cross-site scripting (XSS) attack is a type of computer security vulnerability typically found in web applications or websites. It enables attackers to inject client-side scripts or malicious javascript code into web pages viewed by other users.

Cross-site scripting (XSS) vulnerability Web applications or websites run on malicious JavaScript code in a victim’s browser (client). Hackers are executing malicious JavaScript code in another user’s browser (client). See more about cross-site scripting (XSS).

By using this code in the .htaccess file, we can protect against cross-site scripting (XSS) attacks.

# Reflected Cross-Site Scripting (XSS) attacks:
<IfModule mod_headers.c>
Header set X-XSS-Protection “1; mode=block”
<FilesMatch “\.(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf][/cf]|txt|vcard|vcf|vtt|webapp|web[mp]|webmanifest|woff2?|xloc|xml|xpi)$”>
Header unset X-XSS-Protection
</FilesMatch>
</IfModule>

b) Protect Against Clickjacking (User Interface redress, UI redress, and UI redressing) Attacks

A clickjacking attack is a malicious technique of tricking a Web application user into clicking on something different from what the user understands they are clicking on the website, thus potentially leaking confidential information (data) and taking control of their computer while clicking on apparently offensive web pages.

Clickjacking is also named a User Interface redress attack, UI redress attack, and UI redressing. Clickjacking is possible because harmless or offensive features of HTML web pages can be employed to perform unexpected actions. On Clickjacking attacked pages, the attackers load another page over it in a transparent layer. By using this way attacks steal data by clicking on web pages.

Protects Against Clickjacking and cross-site scripting

A few more attacks are Similar like clickjacking those are Likejacking and Cross-Frame Scripting (XFS) attacks.

By using this code in the .htaccess file, we can protect against Clickjacking (User Interface redress, UI redress, and UI redressing), likejacking, and Cross-Frame Scripting (XFS) attacks.

# Protect From Clickjacking (UI redress) attacks:
<IfModule mod_headers.c>
Header set X-Frame-Options “DENY”
<FilesMatch “\.(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf][/cf]|txt|vcard|vcf|vtt|webapp|web[mp]|webmanifest|woff2?|xloc|xml|xpi)$”>
Header unset X-Frame-Options
</FilesMatch>
</IfModule>

c) Protect Against MIME Type Security Risks (Content/Media Security Risks)

MIME Type attack is a malicious technique used by some web browsers (likely Internet Explorer, Opera, etc.) to focus on the content of particular assets on web applications. This technique is used to Phishing/Sniff the main assets of the web page or website.

MIME Type sniffing attacks are a risk when you allow users to upload data on web applications. By using the .htaccess file and HTTP Headers technique, we can protect our data securely.

By using this code in the .htaccess file, we can protect against MIME Type Security Risks (Content/Media Security Risks).

# Reducing MIME Type Security Risks:
<IfModule mod_headers.c>
Header set X-Content-Type-Options “nosniff”
</IfModule>

3. Top 10 HTTP Security Headers

You Must Implement on Your Website, It is more useful HTTP Headers for better Web Application Security:

HTTP ETag Header
HTTP X-Powered-By
HTTP Strict Transport Security (HSTS)
HTTP Public Key Pinning (HPKP)
HTTP Content Security Policy (CSP)
HTTP Referrer-Policy
HTTP Feature-Policy
HTTP Expect-CT
HTTP Timing-Allow-Origin
HTTP Access-Control-Allow-Origin

The above HTTP headers are used to protect your websites against attacks, Data Sniffing, Data Breaching, Data Phishing, and Hacking.

Protect WebSites Against Hackers by using X-Security Headers

See the below examples of how to use the HTTP headers in the .htaccess file to protect data or information against hackers.

# It Disables Apaches ETag Header:
<IfModule mod_headers.c>
Header unset ETag
</IfModule># Server-side Technology Information:
<IfModule mod_headers.c>
Header unset X-Powered-By
</IfModule># HTTP Strict Transport Security (HSTS):
<IfModule mod_headers.c>
Header always set Strict-Transport-Security “max-age=31536000; includeSubDomains; preload”
</IfModule>

# HTTP Public Key Pinning (HPKP)
<IfModule mod_headers.c>
Header always set Public-Key-Pins “pin-sha256=\”iPkQ5Cig6y69MBkqnbEk4aIdjiuY4exLSiDRSp5GeJg2m4=\”; pin-sha256=\”Cig6y69MBkqnbEk4aIklO2XCfCig6y69MBkqnbEk469MBkY=\”; pin-sha256=\”a9wgrX4Ta9HpZx6tSfc4$2dsavHkmCrvpApwsgbrLg5yRME=\”; max-age=2592000; includeSubDomains; preload”
</IfModule>

# HTTP Content Security Policy (CSP):
<IfModule mod_headers.c>
Header set Content-Security-Policy “base-uri ‘self'”
</IfModule>

# Send Custom HTTP Headers Referrer-Policy:
<IfModule mod_headers.c>
Header always set Referrer-Policy “strict-origin-when-cross-origin”
</IfModule>

# Send Custom HTTP Headers Feature-Policy:
<IfModule mod_headers.c>
Header always set Feature-Policy “vibrate ‘self'”
</IfModule>

# Send Custom HTTP Headers Expect-CT:
<IfModule mod_headers.c>
Header always set Expect-CT “max-age=604800; report-uri=””
</IfModule>

# Cross-origin requests:
<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin “Origin”
</IfModule>

# Cross-origin resource timing:
<IfModule mod_headers.c>
Header set Timing-Allow-Origin: “*”
</IfModule>

Helpful Resources:

1. Why is Cybersecurity Important For Enterprises?

2. 5 Website Security Tips Every Employee Should Know

3. Get VPS Hosting For Your Websites For Better Results

4. Top Ten Blockchain Applications That Are Transforming Industries

5. 6 Best Wireless Security Cameras

6. What is the Difference Between Absolute and Relative URLs?

.htaccess File

HTTP vs. HTTPS: How to Select the Best Option for Your Website

HTTP vs. HTTPS: An HTTP is a HyperText Transfer Protocol, whereas a WWW is a World Wide Web that connects clients and servers.

Published

3 years ago

December 23, 2019

TwinzTech

Can you even imagine that a single letter could make much difference with your website ranking? Confused by what I am talking about? Straightforward, it is the HyperText Transfer Protocol.

Table of Contents

1. What so important about HTTP?

If you have noticed since 2014, Google announced that websites that hold the HTTPS on it would obtain a hike in its search ranking. You might have wondered, what would this “S” does with the website’s ranking. I would say it has a lot more than you think.

In today’s post, let us investigate HTTP vs. HTTPS and what is the best option to select the HTTPS for your website. Would you be interested to know more about it?

Let’s get started!!!

HTTP vs. HTTPS How to Select the Best Option for Your Website

2. What is HTTP?

An HTTP is a HyperText Transfer Protocol, whereas a WWW is a World Wide Web that connects clients and servers. Now clubbing these two techniques together makes some sense. It is done by establishing a communication between the client computers and web servers by sending an HTTP request and receiving an HTTP response on the other end.

An HTTP being a stateless protocol does not save or store any of the previous web sessions. As the protocol is stateless, there is less usage of data; therefore, increasing data transfer speed. There are several other benefits of using HTTP. A few of them are as follows,

Helps in accessing HTML pages
Websites without confidential data use HTTP to access
Functional and efficient

3. What is HTTPS?

The HTTPS (HyperText Transfer Protocol Secure) security is the essential thing that is very much needed these days. In recent times we face a lot of security breaches, especially when it comes to eCommerce websites, there is a lot of complaints from the customers that they have issues, or their money is stolen at the transaction. All these are referred to as security threats. In order to avoid such discrepancies, the HTTPS was introduced to ensure security among users.

SSL and HTTPS

4. Select the best SSL Certificate for your website

Before we could move into choosing the right SSL certificate for your website, let us investigate the types of SSL certificates that exist.

The types of SSL certificates are as follows,

Single Domain SSL Certificate
Multi-domain SSL Certificate
Wildcard SSL Certificate
Organizational Validation SSL Certificate
The extended Validation SSL certificate

5. The Extended Validation SSL certificate (EV-SSL)

The Extended Validation SSL Certificate promises you with the highest level of security to your website and the most top validation done by a Certificate authority. The brand that involves the certificate will have to undergo a rigorous background check and various confirmation process in order to get it validated.

To be more authentic, EV-SSL is the best form of security and a cost-effective certificate that can be added to your website.

Benefits of having an EV-SSL Certificate:

EV SSL is intended to obviously convey the dependability of the site to its users by offering a green bar that assures client certainty.
EV decreases cart abandonment and improves client conversions. You get higher revenue per exchange and higher lifetime client esteem.
Demonstrates your site has passed similar security checks as the other significant sites.
It isn’t merely the best SSL certificate for WordPress and the best SSL certificate for internet business yet for every single other sort of site.
Most elevated SSL security levels – 2048-bit digital signatures all through the whole certificate bind and up to 256-bit encryption as standard.

6. Organizational Validated SSL Certificate

Organizational Validated SSL certificate ensures high-level web security. The OV-SSL certificate adds up validation of the complete business details, which includes name, address, domain name, and any other sensitive information of the website holder.

The installation of an OV-SSL certificate to your domain shows a green padlock symbol at the front. The certificate provides warranty assurance and 100% security with secure data encryption.

Especially when it comes to eCommerce websites, a customer can be hassle-free on noticing the HTTPS on the address bar as it ensures the sign of security to its customers.

HTTP and HTTPS

7. Domain Validated SSL Certificate

A domain validated SSL does not authenticate or validate business information. The certificate still ensures high-level security, but low level of validation compared to EV and OV SSL.

8. Single domain SSL Certificate

The single SSL certificate allows a customer to secure only a single domain/sub-domain on one single certificate. The single-domain SSL certificate ensures strong security against data theft and security breaches.

A single-domain SSL certificate can be used to protect a single domain, individual sub-domain, hostname.

There are other cheap SSL certificates that can help you protect your website from security breaches. They are as follows,

Multi-domain SSL certificate
Wildcard SSL certificate
Unified Communications certificate

9. Why do you need an SSL certificate for your website?

On the off chance, you need to demonstrate your character and authenticity to your site users; at that point, you certainly need to add an SSL certificate to your site. SSL security is, for the most part, used to protect clients’ data. In this way, they are must for website pages if,

You’re selling something on the web (you are assuming acknowledgment card, standardized savings numbers, and some other individual information during the request procedure).
You are enabling clients to make accounts with your organization.
Your site is encouraging login and enrollment options.
You are accepting clients’ data, reports, and photographs by means of the form(s).
You give secure administrations like web banking and online email (where complete protection is required).

10. Wrap up:

The most valuable thing you need to know about website security is portrayed in this post. This helps you to have a better understanding of HTTP, HTTPS, and the importance of having an SSL certificate for your website and your online business.

The different types of SSL certificates are mentioned above for your convenience that you may choose the right one for your business. Finding the cheapest SSL certificate and an authentic one would never be a typical task for you. Install the best certificate for your online business and skyrocket your business with trust and authenticity.