Get started Bring yourself up to speed with our introductory content.

How to add HTTP security headers to various types of servers

Expert Judith Myerson outlines the different types of HTTP security headers and how to add them to different servers, including Apache, Ngnix and Microsoft IIS Manager.

There are two primary server types that many sites use to respond to HTTP security requests from a browser: Microsoft...

Internet Information Services (IIS) Manager and Nginx. Let's look at some examples of adding HTTP security headers for each server type.

Some companies, such as Adobe, run their websites on Apache servers. The Apache server is an old timer; it has been around since 1996. The Nginx server emerged in 2004 as an Apache alternative. They differ in four primary areas:

  • Content type. Apache handles both static and dynamic content, while Nginx handles static content and passes dynamic requests to other software.
  • Module system. Apache's module system enables the organization to dynamically load or unload modules while the server is running. In Nginx, modules are not dynamically loadable; they must be selected and compiled in the core software.
  • Configuration files. With Nginx, there is no directory-level configuration file like Apache's .htaccess or IIS's web.config files. All configurations have to be done at the server level by an administrator, and WordPress cannot modify the configuration like it can with Apache or IIS.
  • Syntax rules. The Apache and Nginx servers do not have the same syntax rules on adding HTTP security headers to the web server's files.

With Microsoft IIS Manager 7 and beyond, the administrator can choose to edit the configuration files, run the syntax-based user interface, run appcmd.exe commands in a command-line window or write Windows Management Instrumentation (WMI) scripts on most content types. WMI scripts refer to the type of script performing the addition, like C#, ASP.NET, VB.NET, VBScript and JavaScript.

If any web server responds with the information to let the world know what software the server is running and what programming language it is using to power the software, this information must be removed or changed.

The following table lists HTTP security headers each with proper configurations for demonstration purposes:

HTTP security header types

Next, let's look at the HTTP security headers that can be added to the different server types.

Server type: Nginx

The syntax for adding response headers begins with add-header, followed by an HTTP response header and value(s) and ends with always;. For example:

add_header X-Xss-Protection "1; mode=block" always;

add_header X-Content-Type-Options "nosniff" always;

All values are enclosed within two quotes.

Server type: Apache

The syntax begins with Header always set, followed by a response header type and value(s). The syntax doesn't end with a punctuation mark.

Header always set X-Xss-Protection "1; mode=block"

Header always set X-Content-Type-Options "nosniff"

Server type: Microsoft IIS

This Windows server's user interface takes a visual approach to configuring HTTP responses that are added to the responses from the web server.

A window of the IIS Manager starts with three panes. In the Connections pane on the left, go to the site to which you want to add custom HTTP headers. On the Home page, look for HTTP Response Headers, and then double-click it.

HTTP response headers

In the Actions pane, click Add... to display the Add Custom HTTP Response Header dialog box. The entries for the name and the value are empty.

Add custom HTTP response headers

Enter a custom header named X-XSS-Protection whose value is 1; mode=block and then click OK. 

Custom header X-XSS-Protection

The custom header is added to the list in the Features View of the Home pane. To add more custom headers, click Add... and repeat the process.

If the value(s) need to be changed, click on a custom header in the Features View, and then choose Edit... in the Actions pane. This brings up the Edit Custom HTTP Response Header dialog box where you can edit the header name and value.

Alternatively, a system administrator with proper credentials can add, edit and remove the custom headers in the configuration file with a text editor or Visual Studio Code. It is easier to handle with the text editor than entering the appcmd.exe command in two long lines in the command prompt window.

Conclusion

These examples show different ways HTTP security headers can be added to a server. The type of server depends on the organization's size, security strategy, technical skills and budget. An organization must ensure it is not giving attackers an advantage by advertising the software on which its servers are running. 

Next Steps

Learn how to analyze the flaws of Adobe's HTTP security headers

Find out the pros and cons of HTTP Strict Transport Security

Discover how an HTTP referrer header can help with web privacy

This was last published in November 2017

Dig Deeper on Web browser security

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What has been your experience adding an HTTP security header to a server?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

  • CIO Trends #6: Nordics

    In this e-guide, read how the High North and Baltic Sea collaboration is about to undergo a serious and redefining makeover to ...

  • CIO Trends #6: Middle East

    In this e-guide we look at the role of information technology as the Arabian Gulf commits billions of dollars to building more ...

  • CIO Trends #6: Benelux

    In this e-guide, read about the Netherlands' coalition government's four year plan which includes the term 'cyber' no fewer than ...

Close