Vicentini Webdesign Blog

Tips, instructions, workflows, inspiration, news and trends

HTTP security header for the .htaccess file

I check my customers’ websites for their technical security for GDPR. What’s really bad on all websites are the HTTP headers. SIWECOS* recommends the following settings for the .htaccess file:

#START HTTP Security header

#Content Security Policy-CSP-HEADER
# Download content only from sites explicitly allowed
# Example: Allow everything from your own domain, no externas:
Header set content security policy ' default-src ' none '; Frame-src ' self '; Font-src ' self '; img-src ' self '; object-src ' self '; script-src ' self '; Style-src ' self '; '

#HTTP Content Types
AddCharset UTF-8 .html

#Public Key Pins
Header set public key pins "pin-sha256="base64+primary = =  "; Pin-sha256="base64+backup = = "; Max-age-up 5184000; includeSubDomains "

#Strict Transport Security
Header set Strictly transport security "max-agetures 336000; includeSubDomains "

#X Content Type Options
Header always set X-content type options "nosniff"

#X frame options
Header always set X-frame options "SAMEORIGIN"

#X-Xss Protection
Header always set X-Xss-Protection "1; Fashion = block "

#Referrer policy
Header set referrer policy "strict-origin"

#END HTTP Security header

Watch out for the first block (CSP header)! You have to adjust it or take it out, otherwise your website will no longer work. Under this link, you can generate your CSP header:

It is best to adjust this template until it fits at SIWECOS .

* SIWECOS is a free website monitoring service and highly recommended. For more information, visit

I would appreciate your feedback

1 Stern2 Sterne3 Sterne4 Sterne5 Sterne (No Ratings Yet)


Kennst du jemanden, der das lesen sollte? Oder willst du dir den Beitrag für später merken? Dann wäre Teilen eine Idee...

Leave a Comment

Your email address will not be published.

Scroll to Top