Vicentini Webdesign Blog

Tips, instructions, workflows, inspiration, news and trends

HTTP security header for the .htaccess file

I check my customers’ websites for their technical security for GDPR. What’s really bad on all websites are the HTTP headers. SIWECOS* recommends the following settings for the .htaccess file:

#START HTTP Security header

#Content Security Policy-CSP-HEADER
# Download content only from sites explicitly allowed
# Example: Allow everything from your own domain, no externas:
Header set content security policy ' default-src ' none '; Frame-src ' self '; Font-src ' self '; img-src ' self '; object-src ' self '; script-src ' self '; Style-src ' self '; '

#HTTP Content Types
AddCharset UTF-8 .html

#Public Key Pins
Header set public key pins "pin-sha256="base64+primary = =  "; Pin-sha256="base64+backup = = "; Max-age-up 5184000; includeSubDomains "

#Strict Transport Security
Header set Strictly transport security "max-agetures 336000; includeSubDomains "

#X Content Type Options
Header always set X-content type options "nosniff"

#X frame options
Header always set X-frame options "SAMEORIGIN"

#X-Xss Protection
Header always set X-Xss-Protection "1; Fashion = block "

#Referrer policy
Header set referrer policy "strict-origin"

#END HTTP Security header

Watch out for the first block (CSP header)! You have to adjust it or take it out, otherwise your website will no longer work. Under this link, you can generate your CSP header:

It is best to adjust this template until it fits at SIWECOS .

* SIWECOS is a free website monitoring service and highly recommended. For more information, visit

I would appreciate your feedback

1 Stern2 Sterne3 Sterne4 Sterne5 Sterne (No Ratings Yet)


Feedback welcome

Was this post helpful?

1 Stern2 Sterne3 Sterne4 Sterne5 Sterne (No Ratings Yet)

Teile diesen Beitrag als erste/r.

Leave a Reply

Your email address will not be published.

These posts may also interest you

Google Fonts selbst hosten
for webdesigner

Host Google Fonts yourself

Learn how to easily host Google Fonts yourself. I use these two tools to get Google web fonts on your own server quickly and easily.

read more »