Working Towards An A Rating on SecurityHeaders Report

I’ve long been meaning to update the settings on my blog to improve my rating on the fantastic https://securityheaders.io website. It was created by Scott Helme and aims to help improve the security of a website by providing a rating based on certain attributes.

First off let me show you the initial report – it is the source of many tears…

Initial Scan Results from SecurityHeaders.IO For ByteSizedAlex.com

Yep an F – not exactly great but now is the time to start amending some of these settings and I will try to cover some of the work in this post. Please be mindful if you intend to use this as a reference that all websites are unique and I my setup and hosting platform may be radically different to your own so this is not intended as a walk through merely a point of reference for myself and insight for others. I’ll cover the various headers in no particular order and I suggest you check out Scott’s website article for further information – https://scotthelme.co.uk/hardening-your-http-response-headers/

 

X-Content-Type-Options

I’m looking for the end of my .htaccess file so I can add the following after “# END WordPress” to enable the ‘nosniff’ content type options – Header set X-Content-Type-Options nosniff

# END WordPress
Header set X-Content-Type-Options nosniff 

 

X-Frame-Options

Next I will add the following header – Header append X-Frame-Options “SameOrigin”

# END WordPress
Header set X-Content-Type-Options nosniff
Header append X-Frame-Options "SameOrigin"

 

XSS-Protection

Now it’s time to take care of the XSS protection – Header set X-XSS-Protection “1; mode=block”

# END WordPress
Header set X-Content-Type-Options nosniff
Header append X-Frame-Options "SameOrigin"
Header set X-XSS-Protection "1; mode=block"

 

HTTP Strict Transport Security  – HSTS

Now I’m going to setup my HSTS policy – Header always set Strict-Transport-Security “max-age=31536000; includeSubDomains”

Header set X-Content-Type-Options nosniff
Header append X-FRAME-OPTIONS "SAMEORIGIN"
Header set X-XSS-Protection "1; mode=block"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

 

Content Security Policy

The easiest way I found to configure my CSP was to use the tools on https://report-uri.io which is another site created by Scott – I’m actually going to spend more time tinkering with my policy so I won’t drop the code here as it will likely change quite a bit over the next few weeks.

 

Time to check the results again!

SecurityHeaders.io Grade A Scan results for bytesizedalex.com

 

You may notice that I have not configured the public key pinning option – this is something I am going to action soon and will update this post on completion, hopefully having finished my CSP policy as well.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.