How to add HTTP security headers to various types of servers

Expert Judith Myerson outlines the different types of HTTP security headers and how to add them to different servers, including Apache, Ngnix and Microsoft IIS Manager.

Judith Myerson

There are two primary server types that many sites use to respond to HTTP security requests from a browser: Microsoft...

Step 2 of 2:

You forgot to provide an Email Address.

This email address doesn’t appear to be valid.

This email address is already registered. Please login.

You have exceeded the maximum character limit.

Please provide a Corporate E-mail Address.
- I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.
Please check the box if you want to proceed.
- I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.
Please check the box if you want to proceed.

Internet Information Services (IIS) Manager and Nginx. Let's look at some examples of adding HTTP security headers for each server type.

Some companies, such as Adobe, run their websites on Apache servers. The Apache server is an old timer; it has been around since 1996. The Nginx server emerged in 2004 as an Apache alternative. They differ in four primary areas:

Content type. Apache handles both static and dynamic content, while Nginx handles static content and passes dynamic requests to other software.
Module system. Apache's module system enables the organization to dynamically load or unload modules while the server is running. In Nginx, modules are not dynamically loadable; they must be selected and compiled in the core software.
Configuration files. With Nginx, there is no directory-level configuration file like Apache's .htaccess or IIS's web.config files. All configurations have to be done at the server level by an administrator, and WordPress cannot modify the configuration like it can with Apache or IIS.
Syntax rules. The Apache and Nginx servers do not have the same syntax rules on adding HTTP security headers to the web server's files.

With Microsoft IIS Manager 7 and beyond, the administrator can choose to edit the configuration files, run the syntax-based user interface, run appcmd.exe commands in a command-line window or write Windows Management Instrumentation (WMI) scripts on most content types. WMI scripts refer to the type of script performing the addition, like C#, ASP.NET, VB.NET, VBScript and JavaScript.

If any web server responds with the information to let the world know what software the server is running and what programming language it is using to power the software, this information must be removed or changed.

The following table lists HTTP security headers each with proper configurations for demonstration purposes:

Next, let's look at the HTTP security headers that can be added to the different server types.

Server type: Nginx

The syntax for adding response headers begins with add-header, followed by an HTTP response header and value(s) and ends with always;. For example:

add_header X-Xss-Protection "1; mode=block" always;

add_header X-Content-Type-Options "nosniff" always;

All values are enclosed within two quotes.

Server type: Apache

The syntax begins with Header always set, followed by a response header type and value(s). The syntax doesn't end with a punctuation mark.

Header always set X-Xss-Protection "1; mode=block"

Header always set X-Content-Type-Options "nosniff"

Server type: Microsoft IIS

This Windows server's user interface takes a visual approach to configuring HTTP responses that are added to the responses from the web server.

A window of the IIS Manager starts with three panes. In the Connections pane on the left, go to the site to which you want to add custom HTTP headers. On the Home page, look for HTTP Response Headers, and then double-click it.

In the Actions pane, click Add... to display the Add Custom HTTP Response Header dialog box. The entries for the name and the value are empty.

Enter a custom header named X-XSS-Protection whose value is 1; mode=block and then click OK.

The custom header is added to the list in the Features View of the Home pane. To add more custom headers, click Add... and repeat the process.

If the value(s) need to be changed, click on a custom header in the Features View, and then choose Edit... in the Actions pane. This brings up the Edit Custom HTTP Response Header dialog box where you can edit the header name and value.

Alternatively, a system administrator with proper credentials can add, edit and remove the custom headers in the configuration file with a text editor or Visual Studio Code. It is easier to handle with the text editor than entering the appcmd.exe command in two long lines in the command prompt window.

Conclusion

These examples show different ways HTTP security headers can be added to harden a server. The type of server depends on the organization's size, security strategy, technical skills and budget. An organization must ensure it is not giving attackers an advantage by advertising the software on which its servers are running.

Next Steps

Learn how to analyze the flaws of Adobe's HTTP security headers

Find out the pros and cons of HTTP Strict Transport Security

Migrate from HTTP to HTTPS for more security

This was last published in November 2017

Dig Deeper on Web browser security

Judith Myerson asks:

What has been your experience adding an HTTP security header to a server?

Join the Discussion