By following below steps you can suppress following HTTP Header related security issues in web applications those are hosted in apache web server.
- Web Browser XSS Protection Not Enabled
- X-Frame option Header not set
- X-Content-Type-Options header missing
- Incomplete or No Cache-control and Pragma HTTP Header Set
These issues can be handled by placing following lines in httpd.conf of apache web server.
Header set X-XSS-Protection “1; mode=block”
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header always append X-Frame-Options DENY
Header set X-Content-Type-Options nosniff
Header set Content-Security-Policy "default-src 'self';"
For this mod_hedaers module also need to be enabled. so uncomment the following Load Module line:
LoadModule headers_module modules/mod_headers.so
Now doing security audit test again, you can see these issues are handled properly.
No comments:
Post a Comment