There are two primary server types that many sites use to respond to HTTP security requests from a browser: Microsoft...
Internet Information Services (IIS) Manager and Nginx. Let's look at some examples of adding HTTP security headers for each server type.
Some companies, such as Adobe, run their websites on Apache servers. The Apache server is an old timer; it has been around since 1996. The Nginx server emerged in 2004 as an Apache alternative. They differ in four primary areas:
- Content type. Apache handles both static and dynamic content, while Nginx handles static content and passes dynamic requests to other software.
- Module system. Apache's module system enables the organization to dynamically load or unload modules while the server is running. In Nginx, modules are not dynamically loadable; they must be selected and compiled in the core software.
- Configuration files. With Nginx, there is no directory-level configuration file like Apache's .htaccess or IIS's web.config files. All configurations have to be done at the server level by an administrator, and WordPress cannot modify the configuration like it can with Apache or IIS.
- Syntax rules. The Apache and Nginx servers do not have the same syntax rules on adding HTTP security headers to the web server's files.
If any web server responds with the information to let the world know what software the server is running and what programming language it is using to power the software, this information must be removed or changed.
The following table lists HTTP security headers each with proper configurations for demonstration purposes:
Next, let's look at the HTTP security headers that can be added to the different server types.
Server type: Nginx
The syntax for adding response headers begins with add-header, followed by an HTTP response header and value(s) and ends with always;. For example:
add_header X-Xss-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
All values are enclosed within two quotes.
Server type: Apache
The syntax begins with Header always set, followed by a response header type and value(s). The syntax doesn't end with a punctuation mark.
Header always set X-Xss-Protection "1; mode=block"
Header always set X-Content-Type-Options "nosniff"
Server type: Microsoft IIS
This Windows server's user interface takes a visual approach to configuring HTTP responses that are added to the responses from the web server.
A window of the IIS Manager starts with three panes. In the Connections pane on the left, go to the site to which you want to add custom HTTP headers. On the Home page, look for HTTP Response Headers, and then double-click it.
In the Actions pane, click Add... to display the Add Custom HTTP Response Header dialog box. The entries for the name and the value are empty.
Enter a custom header named X-XSS-Protection whose value is 1; mode=block and then click OK.
The custom header is added to the list in the Features View of the Home pane. To add more custom headers, click Add... and repeat the process.
If the value(s) need to be changed, click on a custom header in the Features View, and then choose Edit... in the Actions pane. This brings up the Edit Custom HTTP Response Header dialog box where you can edit the header name and value.
Alternatively, a system administrator with proper credentials can add, edit and remove the custom headers in the configuration file with a text editor or Visual Studio Code. It is easier to handle with the text editor than entering the appcmd.exe command in two long lines in the command prompt window.
These examples show different ways HTTP security headers can be added to a server. The type of server depends on the organization's size, security strategy, technical skills and budget. An organization must ensure it is not giving attackers an advantage by advertising the software on which its servers are running.
Learn how to analyze the flaws of Adobe's HTTP security headers
Find out the pros and cons of HTTP Strict Transport Security
Discover how an HTTP referrer header can help with web privacy