Increase Your Website Security with X-Security Headers

Here are three .htaccess techniques to increase your site’s security. These techniques add extra security headers to all of your site’s resources. Specifically, this tutorial explains how to add X-Security Headers to protect against cross-site scripting (XSS), page-framing, and content-sniffing. Adding these extra headers is simple and helps boost your site’s security.

Protect against XSS attacks

First up, we want to add an X-Security Header to help protect against XSS. To do so, add the following directive to your site’s root .htaccess file:

# X-XSS-Protection
<IfModule mod_headers.c>
	Header set X-XSS-Protection "1; mode=block"
</IfModule>

No modifications are required; simply copy/paste, and it’s done. This code works by adding the X-XSS-Protection Header to your server responses. Most modern web browsers understand this header and will use it to help protect your site against cross-site scripting attacks.

Protect against page-framing and click-jacking

Next, we want to add an X-Security Header to help protect against page-framing and clickjacking. To do so, add the following directive to your site’s root .htaccess file:

# X-Frame-Options
<IfModule mod_headers.c>
	Header always append X-Frame-Options SAMEORIGIN
</IfModule>

No modifications are required; simply copy/paste, and it’s done. This code works by adding the X-Frame-Options Header to your server responses. Most modern web browsers understand this header and will use it to ensure that your page can be displayed in a frame only if the frame is on the same domain.

Protect against content-sniffing

Last but not least, we want to add an X-Security Header to help protect against content sniffing. To do so, add the following directive to your site’s root .htaccess file:

# X-Content-Type nosniff
<IfModule mod_headers.c>
	Header set X-Content-Type-Options nosniff
</IfModule>

No modifications are required; simply copy/paste, and it’s done. This code works by adding the X-Content-Type-Options Header to your server responses. Most modern web browsers understand this header and will use it to ensure proper MIME types for all loaded resources (e.g., CSS, JavaScript, fonts, images, video, et al).

Combine all three X-Security Headers

Now that we’ve seen the X-Security Headers that we want to add, let’s combine them into a single, plug-&-play code snippet:

# Extra Security Headers
<IfModule mod_headers.c>
	Header set X-XSS-Protection "1; mode=block"
	Header always append X-Frame-Options SAMEORIGIN
	Header set X-Content-Type-Options nosniff
</IfModule>

Add that to your site’s root .htaccess and call it a day. No editing is required.

Note for WordPress users.

Just a word of caution for any WP sites.. it was reported that the following line might cause the Theme Customizer site preview to go blank/not work.

Header always append X-Frame-Options SAMEORIGIN

So to avoid any possible issue, it is safe to comment out that line in the previous “Extra Security Headers” code example. Won’t be as secure, but it certainly won’t hurt anything by excluding it. Understand that probably a vast majority of websites have not implemented any of these security headers, and they’re all doing just fine. It’s about adding layers of protection.

Verifying X-Security Headers

Once you’ve implemented these new X-Security Headers, you can verify proper functionality by using a browser extension such as Live HTTP Headers (for Firefox), or similar extensions for other browsers. Once the extension is enabled, simply visit your site and request a few pages. The View Headers screen will display all headers sent by your server.

Here is a screenshot showing all three X-Security Headers implemented on one of my own sites:

The header names pretty much match up exactly as specified via .htaccess. So you’ll know immediately if everything is working properly.