Guide: Hardening your server’s HTTP Headers on Apache / LAMP / MAMP

1. Why harden your sever?

If you have a website then you have a role to play in making sure that the web is a safe place. Poorly configured headers can leave visitors, sites and servers vulnerable to malicious attacks. If you want to read more on the attacks that are possible start here.

A security hardened site will minimise the risk of a breach taking place. This could result in either rebuilding your website (or server), a lawsuite, or at least reputational harm, that may arise if your site puts users or their data at risk. It’s really easy to do, so why not?

First, find out if your website’s headers are secure by running a test here. If you are getting less than  a grade ‘A’ (and most sites are not!), then the steps below should get you there.

2. How to do it

It’s so easy to secure your server’s http headers by adding some definitions to the.htaccess file located in your sites root folder.

This is the text to add to your htaccess file:

<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options "nosniff"
Header set Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'"
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header set X-Frame-Options "SAMEORIGIN"
Header set Referrer-Policy: strict-origin-when-cross-origin

Now run the test again from this location here. At the time of writing the above steps should get you a grade ‘A’.


If you don’t know what the htaccess file is then you probably won’t be reading this, but if you don’t find out more about the .htaccess file here. I also assume that your server defaults to https traffic. If your server is insecure (http) then drop the lines that include the following header policies:


I got a lot of help on understanding the correct header values for my needs from this site, so it could be a good resource for you run in to trouble with applying the above. The site also cover’s the process of implementing this on IIS and nginx servers.

Questions or comments? Let me know!