openec2 Article Description

Various internet articles recommend security headers be added to all websites.
I have given configurations that appear to be okay with Nginx and Apache2.4.x
It is important to test all parts of a website as these configurations can kick you out of some functions.
Always test, for example, your use of a Contact Form.

I noticed that cloning a page or post will make the clone, but immediately show the home page.
This can be averted by temporarily commenting out the security headers for a new development.

References:

https://securityheaders.com
https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html
https://content-security-policy.com/examples/nginx/
https://www.invicti.com/blog/web-security/content-security-policy/
https://www.studytonight.com/apache-guide/add-http-security-headers-in-apache-web-server
https://forum.level1techs.com/t/infrastructure-series-http-s-security-headers-you-should-use-them-nginx/171235

Nginx Security Hardening for Running WordPress

These are a bit of a mix, but seem to have a lot in common

vi /etc/nginx/nginx.conf

add_header X-Xss-Protection "1; mode=block" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin";
add_header Permissions-Policy "autoplay=(), encrypted-media=(), fullscreen=(), geolocation=(), microphone=(), midi=()";
add_header Clear-Site-Data "*";

[save and exit]

You should probably already have: add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
If not add it as well.

systemctl restart nginx

Test your website's functions and formatting

 

https://securityheaders.com
[Enter your website domain and see what rating you have - probably a D or F]

[Enable the mod_header module, located as /usr/lib/apache2/modules/mod_headers.so]

cd /etc/apache2/mods-enabled
ln -s ../mods-available/headers.load headers.load


cd /var/www/html
vi .htaccess


Header unset X-Powered-By
Header always set X-XSS-Protection: "1; mode=block"
Header always set X-Content-Type-Options: "nosniff"
Header always set X-Frame-Options: "SAMEORIGIN"
Header always set Referrer-Policy: "strict-origin"
Header always set Content-Security-Policy: "object-src 'none'; base-uri 'none'; frame-ancestors 'self'; form-action 'self';"
Header always set Permissions-Policy: "autoplay=(), encrypted-media=(), fullscreen=(), geolocation=(), microphone=(), midi=()"
Header always set Clear-Site-Data: "*"
Header always set Strict-Transport-Security: "max-age=31536000; includeSubDomains; preload"


[save and exit]

systemctl restart apache2

[Now check your website is working]

https://securityheaders.com
[Enter your website, now probably an A+ rating]