How to improve your website security with HTTP header instructions?

by Carl. 11 Comments

The HTTP protocol provides various header instructions allowing simple improvement of your website security. As usual, make sure to run full tests on your web site as some options may result in some features stop working.

Available options

Content Security Policy

The HTTP Content-Security-Policy response header allows web site administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints. This helps guard against cross-site scripting attacks (XSS).

Content-Security-Policy: <policy-directive>; <policy-directive>

More information about CSP is to be found on the Mozilla Developpers website at:

Strict Transport Security

If your website runs in HTTPS, adding STS ensures that all traffic is sent through HTTPS.

Strict-Transport-Security "max-age=631138519; includeSubDomains"

The Preload option allows for inclusion in a browser based preload list but requires all subdomains to be served with HTTS enabled. To submit your domain for inclusion on this list, you may follow this link.

X Frame Options

Disallow your page to be embedded within a <frame>, <iframe> or <object>.

X-Frame-Options DENY

X Content Type Options

Disable MIME type sniffing, which can e.g. make IE execute an innocent looking .img URL as a javascript.

X-Content-Type-Options nosniff

X XSS Protection

X-XSS-Protection is a HTTP header understood by Internet Explorer 8 (and newer versions). This header lets domains toggle on and off the “XSS Filter” of IE8, which prevents some categories of XSS attacks.

X-XSS-Protection: 1; mode=block


Implementation varies depending on your website’s server.


For an Apache web server implementation, the Set header instruction is to be used in the .htaccess


For an nginx web server implementation, the add_header instruction is to be used.


For an IIS web server implementation, the instructions are to be added in the <customHeaders> section.


For a web server agnostic implementation, the PHP header instruction can also be used.


For a web server agnostic implementation, the HTML http-equiv meta tag can also be used.


For a wordpress implementation, the PHP header instruction can be used. I’ve recently written a WordPress security plug-in to handle this easily.


Make sure to run the Page, Header & Cookie Security Analyser. is a useful resource for evaluating your web site’s security.

My favorite WordPress plug-ins

by Carl. 1 Comment

wordpress-logo-notext-rgbWordPress has become a de facto standard when it comes to creating a web site. A web site, not only a blog. Part of this wide use is the ability to customize the WordPress platform down to your very specific needs. Numerous plug-ins are available to help in this task.

We all have our subjective or objective favorites. Continue reading »»

Improving PHP performance

by Carl. 3 Comments

PHPUse of CMS in now widely spread and we do not need to dig into low level coding to write web pages any more. This said, we still some times have to be able to tweak performance when it comes to some specific developments. With attention to minor details, performance of PHP scripts can be optimized and help to match Google’s attention to speed. Numerous articles deal with improving performance of PHP scripts, here is a collection of some easy to implement tweaks. Continue reading »»

IBMLabs predicts holograms in the next five years

by Carl. 0 Comments

With its fifth edition of its five years predictions, IBMLabs foresees:

  • generalization of data collection by the dissemination of capters for a real time image of the environment,
  • 3-D hologrammes for our telephone and Internet communications,
  • ten times superior battery life thanks to ambiant air’s oxygen charging,
  • recycling of the heat dissipated by data centers,
  • real time information (traffic, accidents, parking, alternatives, etc.) for the optimization of commutes.

See you in 2015.

Source: the IBMLabs channel on YouTube.

HP to buy Palm

by Carl. 0 Comments

Is HP trying to catch up with the industry?

HP already bought Compaq a couple of years ago to become a major player in the PC market.

Although I’ve never tried it, I love the concept of the Palm Pre. A sound alternative to Apple’s iPhone. But it seems to have been a too big project for Palm. Will this purchase be enough for HP to become a major player in the handheld computer market? Or will it allow HP to become a player on the handheld tablet matket?

In any case, this will need HP to fight on the operating systems market. Apple on one side, Google on the other side (not to mention Microsoft who will probably try not to be left behind), not an easy task…

YouTube on your TV

by Carl. 0 Comments

Watching YouTube videos frequently? This is for you.

Google Media Server helps you watching Youtube videos and other digital media files on your TV. All you need is a UPnP enabled device and installing Google Media Server (Google desktop is required to index your local files). Windows Media Center does the same when dealing with local files but Google Media Server adds the web streaming.


HD-DVD vs Blu-Ray

by Carl. 0 Comments

And the winner is… Blu-Ray!!!

It was just another battle between formats, remember the BetaMax vs VHS war.

Since Toshiba, the main driving force behind HD DVD, recently announced it would no longer develop, manufacture and market HD DVD players, we’re settled for Blu-Ray. OK! But is it really the end? Is Blu-Ray really the winner? And for how long?

This war, maintaining confusion in the customers’ mind and thus delaying possible mass adoption, has helped a third party actor, online video, to move-up. While online video is still not a strong actor, it will probably challenge DVD and Blu-Ray pretty earlier than planned.

Let’s have a look at what happened and happens on the music market and let’s try to learn from it.

The story is quite different but the outcome may be the same. While the audio industry was happy with the Audio CD, new formats have been introduced to fight against piracy. SACD on one hand, DVD-A on the other but no one really cared about what the consumer wanted, access to a lot of music at a reasonable price. Downloadable music answered the need, legally or not. We now have a situation where “hardware” music sales drop down every year. And the only lacking step for downloadable music to win the battle is the definition of a true standard for each change of player.

While music can be listened to several times, this is less true for movies. Therefore, downloadable video or online VOD will probably win the battle even faster, probably as soon as the proper broadband Internet access bandwidth allowing it will be widely available. An EC report forecasts that, by 2010, almost 90 percent of Europe’s home Internet users will use broadband, among which 33 percent will be connected using fibre optic networks. With download bandwiths up to 100 Mbits/s allowing for HD TV to be streamed in realtime, no doubt the fibre optic network customers will switch to downloadable or online video rapidly.

So I’m afraid the golden days of Blu-Ray won’t last long. Once again, everything is in the hands of the content providers. Will they try to protect their old fashioned business model as music majors did? Or will they manage to take customers’ expectations into account and come out with updated business models? It caused severe damages to the music industry not being able to do the right choice in the right time…