Raddy Website Design & Development Tutorials

Set HTTP Security Headers Apache WHM

By Raddy in Other ·

HTTP Security Headers are a set of HTTP headers that provide additional security for web servers, browsers, and internet service providers. They are used to protect against a variety of attacks, such as cross-site scripting and clickjacking.

Let’s start by learning how to scan a given website’s security headers.

How to scan for Security Headers

Navigate to Securityheaders.com and simply enter the website that you want to check. The scan will give you a full report of your security headers and also score. If your score is not good enough carry on reading this article.

Security Headers

Now let’s look into the different security headers and what they mean.


The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) informs browsers that the site should only be accessed using HTTPS, and that any future attempts to access it using HTTP should automatically be converted to HTTPS.

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"


The HTTP Content-Security-Policy response header allows website administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints. This helps guard against cross-site scripting attacks (Cross-site_scripting).

For more information, see the introductory article on Content Security Policy (CSP).

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"


The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame><iframe><embed> or <object>. Sites can use this to avoid click-jacking attacks, by ensuring that their content is not embedded into other sites.

The added security is provided only if the user accessing the document is using a browser that supports X-Frame-Options.

Header set X-Frame-Options: DENY


Header set X-Frame-Options: SAMEORIGIN


The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised in the Content-Type headers should be followed and not be changed. The header allows you to avoid MIME type sniffing by saying that the MIME types are deliberately configured.

Header set X-Content-Type-Options nosniff


The Referrer-Policy HTTP header controls how much referrer information (sent with the Referer header) should be included with requests. Aside from the HTTP header, you can set this policy in HTML.

How to Configure Security Headers Apache HMW

Step 1

Login with your admin HMW account.

Step 2

Use the search bar to look for “Apache Configuration”.

Step 3

Click on “Include Editor”.

Step 4

Under Pre Main Include, Click on the Select Menu and choose “All Versions”.

Copy and paste the Security Headers Code:

Header set X-Frame-Options SAMEORIGIN
Header set X-XSS-Protection 1;mode=block
Header set X-Content-Type-Options nosniff
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header always set Referrer-Policy "same-origin"
Header always set Permissions-Policy: interest-cohort=()  

Step 5

Restart Apache

Your security headers should be updated and work on the entire server, covering all websites. Re-scan your website using Securityheaders.com.

Security Headers

Credit: MDN Web Docs

Thank you for reading this tutorial. Share it with friends and family.

Thank you for reading this article. Please consider subscribing to my YouTube Channel. It’s FREE!

More Resources:

  1. buachora says:

    your site have been block my anti-virus, im been trying to access your site more then 2month, you should have redirect your domain…. as i was missing you tutorials…. final i got your new domain

    1. Raddy says:

      Thanks for letting me know. I need to sort it out when I get the chance.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.