I'm very careful about my VPS security, and I know you are too. So when friends ask me how to stop a simple attack on their website, I start talking about secure headers like HSTS, CSP and X-Frame-Options. All of these small settings do amazing things to secure your website. Words can't express how amazing it is.
Secure headers help you:
HSTS is as follows:
“Strict-Transport-Security: max-age=63072000; includeSubDomains; preload”
Have you ever stopped to wonder how many attacks you are stopping by making sure HTTPS is used all the time? A lot!
A basic CSP directive is:
“Content-Security-Policy: default-src 'self';”
Which means: “Only load stuff from my own site.” Simple yet powerful.
You can prevent this with a single line:
“X-Frame-Options: DENY”
Or, allow your site only on your own domain:
“X-Frame-Options: SAMEORIGIN”
I always add this header because it really addresses a big issue that takes almost no effort to implement.
Why Secure Headers Matter
I consider secure headers to be like a lock on my door. I trust my neighborhood and I live in a good neighborhood, but I still lock my house! Secure headers do the same for your VPS, they secure you when all things seem fine.Secure headers help you:
- Force a real HTTPS for a visitor
- Control what is allowed to load on your site
- Prevent clickjacking attacks
HSTS: Always HTTPS for Your Site
I like using HSTS. This is valuable because it forces the browser to use HTTPS. It really doesn't matter if someone tries to redirect the browser to load it HTTP. The browser will just override the request with a HTTPS request.HSTS is as follows:
“Strict-Transport-Security: max-age=63072000; includeSubDomains; preload”
Have you ever stopped to wonder how many attacks you are stopping by making sure HTTPS is used all the time? A lot!
CSP: Get Control of What Your Site Loads
Content Security Policy (CSP) acts as a security guard of sorts to check every single script, image, or file your site attempts to load. If content that is deemed unsafe attempts to load, it will be blocked by CSP.A basic CSP directive is:
“Content-Security-Policy: default-src 'self';”
Which means: “Only load stuff from my own site.” Simple yet powerful.
X-Frame-Options: Prevent Clickjacking
Clickjacking is when an attacker takes your site and places it in a hidden framed page to trick your users into clicking things they never intended to click. It may sound silly, but it can have serious ramifications.You can prevent this with a single line:
“X-Frame-Options: DENY”
Or, allow your site only on your own domain:
“X-Frame-Options: SAMEORIGIN”
I always add this header because it really addresses a big issue that takes almost no effort to implement.
How To Add These Headers on a VPS
If you are using Nginx:- add_header Strict-Transport-Security "max-age=63072000" always;
- add_header Content-Security-Policy "default-src 'self'";
- add_header X-Frame-Options "DENY";Easy and clean.
Why Adding These Headers Matter
I like these headers because:- They improve security vey fast
- They work on any VPS
- They won't slow down your site
