Updating HTTP Headers for Security

In this post, we looked at some ways to tighten up security and increase the speed of websites in modern times.

How to Implement Security HTTP Headers to Prevent Vulnerabilities? talks about some of the headers that should be modified from their defaults for increased security.

The list of headers they give are…

• X-XSS-Protection
• HTTP Strict Transport Security
• X-Frame-Options
• X-Content-Type-Options
• HTTP Public Key Pinning
• Content Security Policy
• X-Permitted-Cross-Domain-Policies
• Referrer Policy
• Expect-CT

One of the things mentioned in my Best Practices for Websites in 2018 article was HTTP Strict Transport Security (HSTS). Using a CDN, like CloudFlare, HSTS can be included very easily in the free version. However, some of the other headers are only able to be added on the Enterprise version.

Other things it can be helpful to remove from the headers are the exact versions of Apache and PHP. Although, to be fair, there are only a finite number of web servers and programming languages so protection by obscurity is fairly limited.

Updating Headers in Apache and Ubuntu

First of all, a standard fresh install of Ubuntu might not have the headers module installed so add it by…

sudo a2enmod headers
sudo service apache2 restart

Then, most articles say that you should add the headers to the httpd.conf file. This file does not exist in a fresh install of Ubuntu so you have to make it in the location /etc/apache2/httpd.conf then include it in the apache2.conf like so…

Include httpd.conf

Once this is done you can start adding headers to it.

You should check whether you have a httpd.conf or not before you make one. Bitnami creates a httpd.conf that is already pre-populated with a lot of lines of code. This kind of pre-setup is the whole reason that Bitnami exists.

Removing the Version of Apache from the HTTP Headers

Web servers (Apache, Nginx, IIS) typically do not want you to remove them from the headers because it is a way of showing the world how popular they are. Like social media for web servers. So, the method of removing them can be relatively tricky.

One alternative is to use cloudFlare which gives the Server variable the value of “cloudflare”… Easy!

Alternatively, another easy fix is to remove the version number from Apache and just leave the word “Apache” visible.

With headers enabled and httpd.conf included in the apache2.conf you can add the lines…

ServerTokens Prod
ServerSignature Off

After restarting Apache the version of Apache should now be gone. You’re telling Apache that the website is in production so turn off the signatures.

Similarly, adding the following line will remove the ability to do a telnet trace of the website, although this still tells the person you’re using Apache.

TraceEnable off

Remove the Version of PHP from the HTTP Headers

The default for PHP is to not show the version of PHP in the headers, however, I found recently that in a Bitnami install it was actually shown by default.

You can turn this off in the php.ini…

expose_php = Off

As this is a PHP setting it will be the same in Nginx, IIS, etc.

After you have done this you’ll need to restart PHP, like this…

sudo service php5-fpm restart

Updating HTTP Response Headers in Apache

The rest of the headers listed above can be updated in the httpd.conf. Here are a few standard ones that do not need any modifications…

Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains;"
Header always set X-Frame-Options DENY
Header set Referrer-Policy "no-referrer"
Header set X-Permitted-Cross-Domain-Policies "none"
Header set X-XSS-Protection "1; mode=block"
Header always set X-Content-Type-Options "nosniff"
Header always set Expect-CT "enforce, max-age=300, report-uri='https://www.repoting-website.com/'"

The modifications to the httpd.conf will be very similar but different to the lines that would be added to the nginx.conf for Nginx.

Testing the Security of HTTP Headers

The first way to test your headers would be to inspect them in your browser. For Chrome, you would “inspect” then go to the “Network” tab. If the Network tab is empty, reload the page. Once the list of items is populated you can click on the main website which should be at the top, then on the right, there should be a “Headers” tab that lists all the headers.

SecurityHeaders is a great website for testing the security of your headers. The website completely ignores web server version and programming language version as you could argue that removing them does not offer much protection against an attack. Instead, it focuses on the instructions your website is giving browsers from its headers.

Another useful link for updating your HTTP headers that gives examples for different web servers is Hardening your HTTP response headers.