← Alle Guides
🔒 HTTP Security Headers

Alle Security Headers auf einmal setzen

Komplette Security-Header-Konfiguration fuer Apache und Nginx — einfach kopieren und einfuegen.
Risiko: Fehlende Security Headers ermoeglichen verschiedene Angriffe: XSS, Clickjacking, MIME-Sniffing, Downgrade-Attacken.

Apache — Alle Headers (.htaccess)

Diese Zeilen in die .htaccess oder VHost-Config einfuegen:

<IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set X-XSS-Protection "1; mode=block"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"
    Header always set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' https://fonts.gstatic.com"
    
    # Server-Version verbergen:
    Header always unset X-Powered-By
    Header always unset Server
</IfModule>

Nginx — Alle Headers (server-Block)

In den server{} Block der HTTPS-Konfiguration:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:;" always;

# Server-Version verbergen:
server_tokens off;
more_clear_headers Server;

Referenzen & weiterführende Links

Security Headers Scanner OWASP Secure Headers Project