I previously wrote about what response headers I was sending back from my website – now I have an update.
Part of the problem was that extra headers were being sent, which I didn’t particularly want to be sent. So I’ve been working on getting rid of them.
I believe this is added by my web host, but I managed to remove it by modifying my .htaccess file with the following…
Header unset X-Hostname
This is added by PHP, but it was easily removed by modifying my php.ini file with the following…
expose_php = Off
I could not change this, unfortunately, due to the fact that I’m currently using shared hosting, and therefore don’t have access. But for others, whilst it can’t be removed, it can be changed to minimise it’s output, by adding the apache directives…
ServerTokens ProductOnly ServerSignature Off
So now I’ve tidied that up a bit, I wanted to look at what else I should be adding. I found an excellent site for this by Scott Helme called securityheaders.io. You simply scan your site, and follow the advice it gives you.
It warned me about the “Server” header, but I’ve already worked out I’m going to have to live with that. Other headers it suggested that I add included…
This is used to define what referrer information gets sent when someone clicks on a link on your site that goes to another site, or even a page within your own site. Scott Helme has written a great blog post on this, in which he recommends going with “no-referrer-when-downgrade”, which sounds good enough for me. My site is currently shipped over HTTP, but when I move it to HTTPS (yes, this is the plan!) then it will ensure referrer information isn’t passed on to HTTP sites.