Security Headers in htaccess Don't Work

2017-07-17 11:43:47

We have an issue on our server when our Security Headers are not working. We added the following to our htaccess file after installing Craft CMS: -

Header always set X-Xss-Protection "1; mode=block"

Header always set X-Content-Type-Options "nosniff"

Header always append X-Frame-Options ALLOWALL

Header always set Strict-Transport-Security "max-age=31536000"

Header always set Referrer-Policy no-referrer

These settings worked on our previous CMS which was completely developed in house. We have recently upgraded our server to PHP 7 and Apache 2.4. We have been using https://securityheaders.io to check our results.

Any help trying to get this to work would be really appreciated.

I'm assuming mod_headers is installed & active? Otherwhise I can't say why the .htaccess rules are not applied (devOps is not my forte) but you could set them through the twig template.

See here for the tag to use. Basically it comes

  • I'm assuming mod_headers is installed & active? Otherwhise I can't say why the .htaccess rules are not applied (devOps is not my forte) but you could set them through the twig template.

    See here for the tag to use. Basically it comes down to something like this (untested):

    {% header 'X-Xss-Protection "1; mode=block"' %}

    {% header 'X-Content-Type-Options "nosniff' %}

    {% header 'X-Frame-Options ALLOWALL' %}

    {% header 'Strict-Transport-Security "max-age=31536000"' %}

    {% header 'Referrer-Policy no-referrer' %}

    You can make those in a block and just include the block on all the relevant pages.

    2017-07-17 13:30:54