Purchase Linux CDs / DVDs / Flash Drives at OSDisc.com

Welcome to Our Community

While Linux.org has been around for a while, we recently changed management and had to purge most of the content (including users). If you signed up before April 23rd please sign up again. Thanks!

Fixing HTTP Security Header Not Detected

Discussion in 'Linux Security' started by Rob, Jun 16, 2017.

  1. Rob

    Rob Administrator
    Staff Member

    Joined:
    Oct 27, 2011
    Messages:
    150
    Likes Received:
    404
    You may have received a vulnerability report/scan stating that you need to fix 'HTTP Security Header Not Detected' on some web servers.

    We'll mitigate three different things: X-Frame-options, X-XSS-Protection and X-Content-Type-Options



    First, run curl to test your server:
    Code:
    curl -I https://www.linux.org
    You'll see something like:
    Code:
    HTTP/1.1 200 OK
    Date: Fri, 16 Jun 2017 18:55:07 GMT
    Server: Apache
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Last-Modified: Fri, 16 Jun 2017 18:55:07 GMT
    Content-Length: 109622
    Content-Type: text/html; charset=UTF-8
    
    The output there is not showing any of the HTTP Security Header strings.

    Now, let's fix it...

    Apache:
    add the following to httpd.conf (or apache2.conf) and restart
    Code:
    Header always append X-Frame-Options SAMEORIGIN
    Header set X-XSS-Protection "1; mode=block"
    Header set X-Content-Type-Options nosniff
    
    nginx:
    Add the following to your nginx.conf
    Code:
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options nosniff;
    Once the code is added, restart apache/nginx and test with curl:
    Code:
    curl -I https://www.linux.org
    You'll see something like this:
    Code:
    HTTP/1.1 200 OK
    Date: Fri, 16 Jun 2017 18:55:07 GMT
    Server: Apache
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    X-Frame-Options: SAMEORIGIN
    Last-Modified: Fri, 16 Jun 2017 18:55:07 GMT
    Content-Length: 109622
    X-XSS-Protection: 1; mode=block
    X-Content-Type-Options: nosniff
    Content-Type: text/html; charset=UTF-8
    
    Now, you can sleep soundly!
     
    #1 Rob, Jun 16, 2017
    Last edited: Jul 25, 2017

Share This Page