secure header report and best practices config for Apache, Nginx, lighttpd, Cloudflare, netlify
attention : This repository is not ready to use, im trying to get it ready my free time
Pull requests are always welcome :)
I suggest you don't copy past config from this repo, especially if you have a custom web application our example may break your software. read these articles first
- Mozilla (online)
- securityheaders.com (online)
- Mozilla cli (use mozilla api)
python report.py -h #for help
python report.py -u <url> -o <Output Filename> -l <Target List Filename>
python report.py -u https://facebook.com -o FBreport # for check one site
python report.py -l input.text -o report #for list input
python report.py -l input.text -o report #for list input
how to add header to Apache, nginx, lighttpd
-
- apache
Header set X-Frame-Options "DENY"- nginx
add_header X-Frame-Options "DENY";- lighttpd
setenv.add-response-header = ("X-Frame-Options" => "DENY",) -
- apache
Header set X-XSS-Protection "1; mode=block"- nginx
add_header X-XSS-Protection "1;mode=block";- lighttpd
setenv.add-response-header = ("X-XSS-Protection" => "1; mode=block",) -
- apache
Header set X-Content-Type-Options "nosniff"- nginx
add_header X-Content-Type-Options "nosniff";- lighttpd
setenv.add-response-header = ("X-Content-Type-Options" => "nosniff",) -
- Attention: this part is essential, and it may need serious customization
- report-uri (online tool to generate CSP)
- csp cheat sheet
- apache
Header set Content-Security-Policy "script-src 'self'; object-src 'self'"- nginx
add_header Content-Security-Policy "script-src 'self'; object-src 'self'";- lighttpd
setenv.add-response-header = ("Content-Security-Policy" => "script-src 'self'; object-src 'self'",) -
- hsts cheat sheet
- apache : 15768000 seconds = 6 months
Header always set Strict-Transport-Security "max-age=15768000; includeSubdomains"- nginx :
add_header Strict-Transport-Security "max-age=15768000; includeSubdomains";- lighttpd :
setenv.add-response-header = ("Strict-Transport-Security" => "max-age=15768000; includeSubdomains",) -
- apache
Header set Referrer-Policy "no-referrer"- nginx
add_header Referrer-Policy "no-referrer";- lighttpd
setenv.add-response-header = ("Referrer-Policy" => "no-referrer",) -
- apache
Header set Feature-Policy "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'"- nginx
add_header Feature-Policy "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'";- lighttpd
setenv.add-response-header = ("Feature-Policy" => "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'",)
- Clear-Site-Data
- apache : Edit your apache configuration file and add the following to your VirtualHost.
Header set Clear-Site-Data "cache"- nginx : Add snippet below into configuration file to send X-Frame-Options header.
add_header Clear-Site-Data "cache";- lighttpd : Add snippet below into configuration file to send X-Frame-Options header.
setenv.add-response-header = ("Clear-Site-Data" => " cache ",)
- Mozilla SSL Configuration Generator Apache
- Free ssl + secure header
- add netlify.com secure headers best practice
- add Cloudflare Workers custom headers config and best practice
- add lighttpd and apache secure config.
- add CVS export to report script
- add secure header suggestions to report script
- add web server config generation to report script
- add simple intro document for explain secure header in human language
- add persian document!(اگه کسی خواست)