Response headers – an update

I previously wrote about what response headers I was sending back from my website – now I have an update.

Part of the problem was that extra headers were being sent, which I didn’t particularly want to be sent. So I’ve been working on getting rid of them.

X-Hostname

I believe this is added by my web host, but I managed to remove it by modifying my .htaccess file with the following…

Header unset X-Hostname

X-Powered-By

This is added by PHP, but it was easily removed by modifying my php.ini file with the following…

expose_php = Off

Server

I could not change this, unfortunately, due to the fact that I’m currently using shared hosting, and therefore don’t have access. But for others, whilst it can’t be removed, it can be changed to minimise it’s output, by adding the apache directives…

ServerTokens ProductOnly
ServerSignature Off

So now I’ve tidied that up a bit, I wanted to look at what else I should be adding. I found an excellent site for this by Scott Helme called securityheaders.io. You simply scan your site, and follow the advice it gives you.

It warned me about the “Server” header, but I’ve already worked out I’m going to have to live with that. Other headers it suggested that I add included…

Referrer-Policy

This is used to define what referrer information gets sent when someone clicks on a link on your site that goes to another site, or even a page within your own site. Scott Helme has written a great blog post on this, in which he recommends going with “no-referrer-when-downgrade”, which sounds good enough for me. My site is currently shipped over HTTP, but when I move it to HTTPS (yes, this is the plan!) then it will ensure referrer information isn’t passed on to HTTP sites.

Content-Security-Policy

This is used to control what access different content on your site has. For example, you can control what javascript and stylesheets can be included, inline or from different domains, etc. Again, Scott Helme has written another great blog post on this. He has also created an excellent site called report-uri.com which has a number of tools, including one to help you build your CSP. This is a bit more involved though, so I think I’ll cover this in a separate post.