The HTTP protocol provides various header instructions allowing simple improvement of your website security. As usual, make sure to run full tests on your web site as some options may result in some features stop working.
Content Security Policy
The HTTP Content-Security-Policy response header allows web site administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints. This helps guard against cross-site scripting attacks (XSS).
Content-Security-Policy: <policy-directive>; <policy-directive>
More information about CSP is to be found on the Mozilla Developpers website at: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
Strict Transport Security
If your website runs in HTTPS, adding HSTS ensures that all traffic is sent through HTTPS.
Strict-Transport-Security "max-age=631138519; includeSubDomains"
Preload option allows for inclusion in a browser based preload list but requires all subdomains to be served with HTTPS enabled. To submit your domain for inclusion on this list, you may follow this link.
X Frame Options
Disallow your page to be embedded within a
X Content Type Options
Disable MIME type sniffing, which can e.g. make IE execute an innocent looking
X XSS Protection
X-XSS-Protection is a HTTP header understood by Internet Explorer 8 (and newer versions). This header lets domains toggle on and off the “XSS Filter” of IE8, which prevents some categories of XSS attacks.
X-XSS-Protection: 1; mode=block
Implementation varies depending on your website’s server.
For an Apache web server implementation, the
Set header instruction is to be used in the
For an nginx web server implementation, the
add_header instruction is to be used.
For an IIS web server implementation, the instructions are to be added in the
For a web server agnostic implementation, the PHP
header instruction can also be used.
For a web server agnostic implementation, the HTML
http-equiv meta tag can also be used.
For a WordPress implementation, the PHP
header instruction can be used. I’ve recently written a WordPress security plug-in to handle this easily.