How to Configure Security Response Headers in cPanel Print

Enhance your website security by implementing security response headers that protect against common web vulnerabilities and attacks.

What are Security Response Headers?

Security response headers are browser directives sent from the server to enhance website security. They help prevent attacks, protect user data, and control how web content behaves.

These headers defend against threats like:
• Clickjacking attacks
• Cross-site scripting (XSS)
• Cookie theft and hijacking
• MIME-type spoofing
• Protocol downgrade attacks
• Data leakage through referrers

Common Security Headers Explained

Content-Security-Policy (CSP):
Blocks XSS, clickjacking, and code injection by controlling what content can load on your website.

Strict-Transport-Security (HSTS):
Forces browsers to use HTTPS, preventing downgrade and cookie hijacking attacks.

X-Content-Type-Options:
Prevents MIME-type sniffing by enforcing declared content types.

X-Frame-Options:
Blocks clickjacking by preventing your site from being framed by other websites.

X-XSS-Protection:
Activates built-in browser filters against XSS attacks (for older browsers).

Referrer-Policy:
Controls how much referrer data is sent to other sites, improving user privacy.

Permissions-Policy (formerly Feature-Policy):
Restricts use of browser features like camera, microphone, and geolocation.

Access-Control-Allow-Origin (CORS):
Defines which domains can access your site's resources across origins.

How to Add Security Headers via .htaccess in cPanel

Step 1: Log in to cPanel
Go to your cPanel login page and log in with your hosting credentials.

Step 2: Open File Manager
Under the Files section, click on "File Manager".

Step 3: Navigate to Your Website's Root Folder
• For your primary domain, go to the public_html directory
• For addon domains, go to the relevant subfolder

Step 4: Locate the .htaccess File
• If you don't see it, click "Settings" (top-right) and enable "Show Hidden Files (dotfiles)"
• If the file doesn't exist, click "+ File" to create one named ".htaccess"

Step 5: Edit the .htaccess File
1. Right-click on .htaccess and select "Edit"
2. Click "Edit" again if a pop-up appears
3. The file editor will open

Security Headers Configuration

Step 6: Add the Security Headers
Paste the following code at the top or bottom of your .htaccess file:

# Security Headers
<IfModule mod_headers.c>
    Header set Content-Security-Policy "upgrade-insecure-requests"
    Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"
    Header set X-Xss-Protection "1; mode=block"
    Header set X-Frame-Options "SAMEORIGIN"
    Header set X-Content-Type-Options "nosniff"
    Header set Referrer-Policy "strict-origin-when-cross-origin"
    Header set Permissions-Policy "geolocation=self"
</IfModule>

Step 7: Save Changes
1. Click "Save Changes" in the editor
2. Close the editor tab
3. Your security headers are now active

Advanced Security Headers Configuration

Enhanced Content Security Policy:
For more comprehensive protection, use a detailed CSP:

# Enhanced CSP Header
Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' https:; connect-src 'self'; media-src 'self'; object-src 'none'; child-src 'self'; frame-ancestors 'self'; base-uri 'self'; form-action 'self';"

Cookie Security Headers:
Add cookie protection flags:

# Cookie Security
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=Strict

Additional Security Headers:

# Additional Security Headers
Header set X-Permitted-Cross-Domain-Policies "none"
Header set Cross-Origin-Embedder-Policy "require-corp"
Header set Cross-Origin-Opener-Policy "same-origin"
Header set Cross-Origin-Resource-Policy "same-origin"

Testing Your Security Headers

Step 8: Test Your Site
1. Visit your website to confirm everything loads correctly
2. Check for any broken functionality
3. Test all interactive elements

Verify Headers are Active:
Use our header testing tool at: https://123media.co.za/hsts/
This will verify that your security headers are properly configured and active.

Alternative Testing Methods:
• Use browser developer tools (F12 > Network tab)
• Online tools like securityheaders.com
• Command line: curl -I yourdomain.com

Security Headers Best Practices

• Start Simple: Begin with basic headers, then add more advanced ones
• Test Thoroughly: Verify all website functionality after adding headers
• Monitor Logs: Check for CSP violations in browser console
• Regular Updates: Review and update headers as your site evolves
• Backup First: Always backup .htaccess before making changes

Troubleshooting Common Issues

Website Not Loading:
• Check .htaccess syntax for errors
• Remove headers one by one to identify the problem
• Ensure proper spacing and quotation marks

Content Blocked by CSP:
• Review browser console for CSP violation reports
• Adjust CSP directives to allow necessary resources
• Use 'unsafe-inline' temporarily for testing (not recommended for production)

Mixed Content Warnings:
• Ensure all resources load over HTTPS
• Update internal links to use HTTPS
• Check third-party integrations for HTTPS support

Header-Specific Configuration

Customizing HSTS:

# HSTS with preload (advanced)
Header set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"

Flexible Frame Options:

# Allow framing from specific domains
Header set X-Frame-Options "ALLOW-FROM https://trusted-domain.com"

Granular Permissions Policy:

# Detailed permissions control
Header set Permissions-Policy "geolocation=(), microphone=(), camera=(), payment=(), usb=(), magnetometer=(), gyroscope=(), speaker=()"

Security Headers for Different Scenarios

E-commerce Sites:

# E-commerce Security Headers
Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://js.stripe.com https://checkout.paypal.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; connect-src 'self' https://api.stripe.com;"
Header set Referrer-Policy "strict-origin-when-cross-origin"
Header set Permissions-Policy "payment=()"

WordPress Sites:

# WordPress-Optimized Headers
Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https:;"

Monitoring and Maintenance

Regular Security Audits:
• Test headers monthly using security scanning tools
• Review CSP violation reports
• Update headers when adding new third-party services
• Monitor for new security header standards

Performance Considerations:
• Headers add minimal overhead
• CSP can improve performance by blocking unwanted resources
• HSTS reduces redirect overhead for HTTPS

Getting Help with Security Headers

Our support team can assist with:
• Custom security header configurations
• Troubleshooting header-related issues
• Security audits and recommendations
• Advanced CSP policy development
• Performance optimization with security headers

Contact our support team for expert assistance with implementing and optimizing security headers for your specific website requirements.

Security Benefits

• XSS Protection: Prevents malicious script injection
• Clickjacking Prevention: Stops iframe-based attacks
• HTTPS Enforcement: Ensures secure connections
• Data Privacy: Controls information leakage
• Browser Security: Leverages built-in browser protections
• Compliance: Helps meet security standards and regulations