Security Headers

Currently I work on a presentation about web application security based on OWASP. One topic among many others involves security headers, which are usually sent by the server to prevent certain risks. I have also checked my weblog and added most headers in my Apache config file.

Finally, the test at securityheaders.com shows an A.

Apache Config

One tricky thing was how to set the Content-Security-Policy header, which can grow to a very long statement. Luckily, the Apache headers module offers quite some directives to add, modify and append to response headers. Append helps to split a long header statement on multiple lines. But this alone will not work, as append uses commas to separate the header directives. But the Content-Security-Policy policy directives must be separated by semicolons. And here, another header directive comes to the rescue – edit* does a RegEx replace for multiple occurrences.

1
2
3
4
5
6
7
8
9
<VirtualHost *:443>
  ...
  Header unset Content-Security-Policy
  Header add Content-Security-Policy "default-src 'self'"
  Header append Content-Security-Policy "script-src 'self' https://trusted.script.domain"
  Header append Content-Security-Policy "style-src 'self' https://trusted.style.domain"
  Header edit* Content-Security-Policy , ;
  ...
</VirtualHost>