What
When we visit any website in the browser, the browser sends some request headers to the server and the server responds with HTTP response headers.
These headers are used by the client and server to share information as a part of the HTTP protocol. Browsers have defined behaviour of the web page according to these headers during communication with the server. These headers are mainly a combination of key-value pairs separated by a colon :.
Why
Today too many data breaches are happening, many websites are hacked due to misconfiguration or lack of protection. These security headers will help protect your website from some common attacks like XSS, code injection, clickjacking, etc.
Additionally these headers increases your website SEO score.
How
The security headers are added to the htaccess file. On this website here are ours:
# Security Headers
<IfModule mod_headers.c>
Header set Content-Security-Policy "upgrade-insecure-requests"
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header set X-Xss-Protection "1; mode=block"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-Content-Type-Options "nosniff"
Header set Referrer-Policy "strict-origin-when-cross-origin"
Header set Permissions-Policy "geolocation=self"
</IfModule>
# Keep php
DirectoryIndex index.php index.html
# Block iFrames
Header always set X-FRAME-OPTIONS "SAMEORIGIN"
With these in place on the website below forestpathways.co.uk scores A+