Fixing HTTP Security Header Not Detected

Rob

Administrator
Staff member
You may have received a vulnerability report/scan stating that you need to fix 'HTTP Security Header Not Detected' on some web servers.

We'll mitigate three different things: X-Frame-options, X-XSS-Protection and X-Content-Type-Options

First, run curl to test your server:
Code:
curl -I https://www.linux.org
You'll see something like:
Code:
HTTP/1.1 200 OK
Date: Fri, 16 Jun 2017 18:55:07 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Last-Modified: Fri, 16 Jun 2017 18:55:07 GMT
Content-Length: 109622
Content-Type: text/html; charset=UTF-8
The output there is not showing any of the HTTP Security Header strings.

Now, let's fix it...

Apache:
add the following to httpd.conf (or apache2.conf) and restart
Code:
Header always append X-Frame-Options SAMEORIGIN
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options nosniff
nginx:
Add the following to your nginx.conf
Code:
add_header X-Frame-Options SAMEORIGIN;
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
Once the code is added, restart apache/nginx and test with curl:
Code:
curl -I https://www.linux.org
You'll see something like this:
Code:
HTTP/1.1 200 OK
Date: Fri, 16 Jun 2017 18:55:07 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
X-Frame-Options: SAMEORIGIN
Last-Modified: Fri, 16 Jun 2017 18:55:07 GMT
Content-Length: 109622
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Type: text/html; charset=UTF-8
Now, you can sleep soundly!
 
Last edited:


Members online



Top