If you’ve been following tech news recently, you might’ve seen people pointing out the poor security setup on the waste.gov website. It got a lot of laughs online, but underneath the jokes is a real issue. Security isn’t something you should overlook or deal with later. If you’re running a website or any online service, it’s something you need to take seriously from the beginning.
This got me thinking: we often switch hosting providers, migrate servers, or make infrastructure changes without revisiting our security settings. When was the last time I double-checked my own website for security best practices? So, I took the opportunity to audit and improve my security headers to make sure I’m following current best practices and doing what I can to protect my sites and users.
How to Test Your Security Headers
Before diving into any fixes, it’s a good idea to first understand where your website currently stands. One handy tool for this is SecurityHeaders.com. It gives you a quick overview of your site’s HTTP response headers and points out any missing or misconfigured security settings.
Pro Tip: If SecurityHeaders.com shows red or orange results, go grab a coffee—it might take a little while to fix everything! ☕
For a deeper analysis, tools like Mozilla Observatory and Qualys SSL Labs can provide additional insights into security configurations.
Steps I Took to Improve My Security Headers
1. Enabling HSTS via Cloudflare
One of the most important headers for web security is Strict-Transport-Security (HSTS). It ensures that all connections to your website use HTTPS, helping to prevent protocol downgrade attacks and cookie hijacking. According to OWASP, HSTS is a critical component of modern web security.
Since I use Cloudflare as my CDN, enabling HSTS was straightforward:
- Navigate to SSL/TLS → Edge Certificates in Cloudflare.
- Scroll down to HTTP Strict Transport Security (HSTS) and enable it.
- Configure the max-age directive to enforce long-term HTTPS use.
2. Defining Custom Response Header Transform Rules (Cloudflare and Non-Cloudflare Users)
Cloudflare also allows you to define custom response headers. If you’re not using Cloudflare, you can still apply these headers at the server level using .htaccess (Apache), nginx.conf (Nginx), or within your application settings.
Content Security Policy (CSP)
Prevents loading of unauthorized scripts, fonts, or other resources, reducing XSS risks (Google Security Blog).
Copied!Content-Security-Policy: default-src 'self'; script-src 'self' nonce-<randomly-generated>'; style-src 'self'
Note: Nonces should be securely generated and unique for each request. The same value must appear in both the CSP header and any inline <script> tags you want to allow.
X-Frame-Options
Prevents clickjacking attacks by restricting iframe embedding (MDN Docs).
Copied!X-Frame-Options: DENY
X-Content-Type-Options
Stops browsers from MIME-sniffing files, forcing them to adhere to declared content types (OWASP Reference).
Copied!X-Content-Type-Options: nosniff
Referrer-Policy
Controls how much referrer information is sent with requests (Google Developers Guide).
Copied!Referrer-Policy: no-referrer-when-downgrade
Permissions-Policy
Limits the use of browser features such as geolocation, camera, and microphone (W3C Spec).
Copied!Permissions-Policy: geolocation=(), microphone=(), camera=()
Applying Headers on Apache (.htaccess)
For Apache users, you can set these headers in your .htaccess file: (Ensure mod_headers is enabled in your Apache configuration.)
Copied!<IfModule mod_headers.c> Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'nonce-<randomly-generated>'; style-src 'self'" Header always set X-Frame-Options "DENY" Header always set X-Content-Type-Options "nosniff" Header always set Referrer-Policy "no-referrer-when-downgrade" Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()" </IfModule>
Applying Headers on Nginx (nginx.conf)
For Nginx users, add the following lines inside your server block:
Copied!add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'nonce-<randomly-generated>'; style-src 'self'" always; add_header X-Frame-Options "DENY" always; add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "no-referrer-when-downgrade" always; add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
3. Validating Changes
After implementing these changes, I re-tested my sites using SecurityHeaders.com and confirmed they now comply with recommended best practices. For a comprehensive security audit, I also used Mozilla Observatory and SSL Labs to ensure proper SSL/TLS configurations and header security.
Final Thoughts
If you run a website, no matter how big or small, security should always be a priority. The waste.gov incident was a reminder that even government-run websites can overlook fundamental security practices. Taking a few minutes to review and enforce security headers can make a big difference in protecting your users and your site.
Have you reviewed your security headers recently? If not, now’s a great time to start. Let me know in the comments if you found this guide helpful, or if you have any security tips of your own to share!
Leave a Reply