Security Headers

Currently I work on a presentation about web application security based on OWASP. One topic among many others involves security headers, which are usually sent by the server to prevent certain risks. I have also checked my weblog and added most headers in my Apache config file.

• Strict-Transport-Security
• X-Frame-Options
• X-Content-Type-Options
• Content-Security-Policy
• Referrer-Policy

Finally, the test at securityheaders.com shows an A.

Apache Config

One tricky thing was how to set the Content-Security-Policy header, which can grow to a very long statement. Luckily, the Apache headers module offers quite some directives to add, modify and append to response headers. Append helps to split a long header statement on multiple lines. But this alone will not work, as append uses commas to separate the header directives. But the Content-Security-Policy policy directives must be separated by semicolons. And here, another header directive comes to the rescue — edit* does a RegEx replace for multiple occurrences.

<VirtualHost *:443>
  ...
  Header unset Content-Security-Policy
  Header add Content-Security-Policy "default-src 'self'"
  Header append Content-Security-Policy "script-src 'self' https://trusted.script.domain"
  Header append Content-Security-Policy "style-src 'self' https://trusted.style.domain"
  Header edit* Content-Security-Policy , ;
  ...
</VirtualHost>