Hardening Security Improvements — How to add Security Headers to your Website.

Cytrus Logic regularly does security scans of websites for statistical purposes. In almost 85% of the scans, there are no security headers installed on the sites we scan.

These scans allow us to create statistics and create tools and procedures to better protect our clients and their sites from malicious code and exploits.

Security headers give an extra level of protection to your website.

HTTP Strict Transport Security Header

HSTS (HTTP Strict Transport Security) is an HTTP Header that protects from attacks like cookie hijacking by forcing browsers to use the HTTPS secure protocol if it is available. This means that it forces the site to encrypt the data being sent. This makes it so that people cannot grab the data in transport and get vital information being sent.

Most web hosts do not enforce this by default.  In order to turn this feature on you need to add the following to your .htaccess file

<IfModule mod_headers.c>
Header set Strict-Transport-Security “max-age=10886400; includeSubDomains; preload”
</IfModule>

X-Content-Type-Options

The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed.

Although MIME sniffing can be useful to determine an asset’s correct file format, it can also cause a security vulnerability. This is a serious vulnerability to the site as well as anyone visiting the site. It leaves them open to an XSS(Cross-Site Scripting) attack. This is where malicious code can be inserted and exploit both the site and the user of the site.

To defend against this type of attack you should add the following to the .htaccess file

Header set X-Frame-Options DENY

XSS Protection

The HTTP X-XSS-Protection response header is used to tell a browser that if it detects an XSS attack it should immediately stop serving the page. This is important because if an attack attempted and executed both the site and the user could be compromised in the attack.

To turn this header on add the following to your .htaccess file

Header set X-XSS-Protection "1; mode=block"

Now you know how to add security headers to your website! Then make sure they are in place by scanning your site with Website Safeguard.

Jacob Billings
PhD Candidate - Complex Systems

I am a software engineer, linguist, and researcher of Complex Systems. I hold a bachelor's degree in Middle Eastern Studies from the University of Utah, a Master’s degree in linguistics from Francisco Marroquín University in Guatemala City, and I am a doctoral candidate in Complex Systems at the Polytechnic University in Madrid, Spain.

Software Development: I bring over 20 years of experience in developing software for multiple clients in various environments. I have a solid knowledge of PHP, Javascript, MySQL, NoSQL, Python, and Java.

Over my career, I have had the opportunity to work on projects for some of the most recognized brands on the planet. Brands like Marriott Hotels, Microsoft, Ashland Chemical, Capital One Credit Cards, Cadbury Schweppes, GE and more. This has given me an in-depth understanding of my client's challenges as they grow. I know how to get a company from startup to maturity with technology. My specialties are in E-commerce(specifically Magento), process automation, and security.