Fixing HTTP Security Header Not Detected

You may have received a vulnerability report/scan stating that you need to fix ‘HTTP Security Header Not Detected’ on some web servers.

We’ll mitigate three different things: X-Frame-options, X-XSS-Protection and X-Content-Type-Options

First, run curl to test your server:

Code:
curl -I https://www.linux.org

You’ll see something like:

Code:
HTTP/1.1 200 OKDate: Fri, 16 Jun 2017 18:55:07 GMTServer: ApacheExpires: Thu, 19 Nov 1981 08:52:00 GMTLast-Modified: Fri, 16 Jun 2017 18:55:07 GMTContent-Length: 109622Content-Type: text/html; charset=UTF-8

Now, let’s fix it…

Apache:

add the following to httpd.conf (or apache2.conf) and restart

Code:
Header always append X-Frame-Options SAMEORIGINHeader set X-XSS-Protection "1; mode=block"Header set X-Content-Type-Options nosniff

nginx:

Add the following to your nginx.conf

Code:
add_header X-Frame-Options SAMEORIGIN;add_header X-XSS-Protection "1; mode=block";add_header X-Content-Type-Options nosniff;

Once the code is added, restart apache/nginx and test with curl:

Code:
curl -I https://www.linux.org

You’ll see something like this:

Code:
HTTP/1.1 200 OKDate: Fri, 16 Jun 2017 18:55:07 GMTServer: ApacheExpires: Thu, 19 Nov 1981 08:52:00 GMTX-Frame-Options: SAMEORIGINLast-Modified: Fri, 16 Jun 2017 18:55:07 GMTContent-Length: 109622X-XSS-Protection: 1; mode=blockX-Content-Type-Options: nosniffContent-Type: text/html; charset=UTF-8

Now, you can sleep soundly!

Leave a Reply

Your email address will not be published.