• Hello and welcome! Register to enjoy full access and benefits:

    • Advertise in the Marketplace section for free.
    • Get more visibility with a signature link.
    • Company/website listings.
    • Ask & answer queries.
    • Much more...

    Register here or log in if you're already a member.

  • 🎉 WHV has crossed 56000 (56k) monthly views (unique) and 285135 clicks per month, as per Google Analytics! Thank you for your support! 🎉

Implementing HSTS, CSP, and X-Frame Secure Headers on Your VPS

johny899

New Member
Content Writer
Messages
836
Reaction score
3
Points
23
Balance
$1,022.5USD
I'm very careful about my VPS security, and I know you are too. So when friends ask me how to stop a simple attack on their website, I start talking about secure headers like HSTS, CSP and X-Frame-Options. All of these small settings do amazing things to secure your website. Words can't express how amazing it is.

Why Secure Headers Matter​

I consider secure headers to be like a lock on my door. I trust my neighborhood and I live in a good neighborhood, but I still lock my house! Secure headers do the same for your VPS, they secure you when all things seem fine.

Secure headers help you:
  • Force a real HTTPS for a visitor
  • Control what is allowed to load on your site
  • Prevent clickjacking attacks
And all it takes is a few lines to your server.

HSTS: Always HTTPS for Your Site​

I like using HSTS. This is valuable because it forces the browser to use HTTPS. It really doesn't matter if someone tries to redirect the browser to load it HTTP. The browser will just override the request with a HTTPS request.

HSTS is as follows:

“Strict-Transport-Security: max-age=63072000; includeSubDomains; preload”

Have you ever stopped to wonder how many attacks you are stopping by making sure HTTPS is used all the time? A lot!

CSP: Get Control of What Your Site Loads​

Content Security Policy (CSP) acts as a security guard of sorts to check every single script, image, or file your site attempts to load. If content that is deemed unsafe attempts to load, it will be blocked by CSP.

A basic CSP directive is:

“Content-Security-Policy: default-src 'self';”

Which means: “Only load stuff from my own site.” Simple yet powerful.

X-Frame-Options: Prevent Clickjacking​

Clickjacking is when an attacker takes your site and places it in a hidden framed page to trick your users into clicking things they never intended to click. It may sound silly, but it can have serious ramifications.

You can prevent this with a single line:

“X-Frame-Options: DENY”

Or, allow your site only on your own domain:

“X-Frame-Options: SAMEORIGIN”

I always add this header because it really addresses a big issue that takes almost no effort to implement.

How To Add These Headers on a VPS​

If you are using Nginx:
  • add_header Strict-Transport-Security "max-age=63072000" always;
  • add_header Content-Security-Policy "default-src 'self'";
  • add_header X-Frame-Options "DENY";Easy and clean.

Why Adding These Headers Matter​

I like these headers because:
  • They improve security vey fast
  • They work on any VPS
  • They won't slow down your site
Do you want a really fast way to improve security? This is the best place to start.
 
You must log in or register to reply here.
Menu
Log in
Register