Analyze your web site with this mozzilla link
- put this link in the header of your html template page :
<meta http-equiv=“Content-Security-Policy” content=“default-src ‘self’; child-src ‘none’; object-src ‘none'”>
- in your php.ini file set these rows :
session.cookie_secure = 1
session.use_only_cookies = 1
session.cookie_httponly = 1
-
Enabling the X-Content-Type-Options Header#
To enable this security header on your origin server is quite easily and can be done in just a couple steps. Depending upon which web server you’re using will determine which snippet you should add to your server’s configuration file. The following section outlines what needs to be added to both Nginx and Apache web servers.
Nginx#For Nginx users, add the following snippet to your .conf file. Once done, save your changes and reload Nginx.
add_header X-Content-Type-Options "nosniff"
Apache#For Apache users, simply add the following snippet to your .htaccess file. Once done, save your changes.
Header set X-Content-Type-Options "nosniff"
Enabling your web server to deliver the X-Content-Type-Options header is quite simple to do.
-
Implementation Procedure in Apache
- Ensure you have
mod_headers.so
enabled in Apache HTTP server - Add following entry in httpd.conf
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
- Restart Apache HTTP server to test
Note: Header edit is not compatible with lower than Apache 2.2.4 version.
- Ensure you have
-
Configuring Apache
To configure Apache to send the
X-Frame-Options
header for all pages, add this to your site’s configuration:Header always set X-Frame-Options "sameorigin"
To configure Apache to set the
X-Frame-Options
deny , add this to your site’s configuration:Header set X-Frame-Options "deny"
Configuring nginx
To configure nginx to send the
X-Frame-Options
header, add this either to your http, server or location configuration: