Home > Net >  How To Add X-XSS-Protection and X-Frame-Option to Response Header in PHP using .htaccess
How To Add X-XSS-Protection and X-Frame-Option to Response Header in PHP using .htaccess

Time:03-29

I want to add more security to my website by adding anti cross site scripting (XSS) security measures.

I am trying to set the headers in my .htaccess file to include the required headers to protect against XSS and clickjacking.

But when I add the headers they are not reflected in my website when I check the network tab in my website.

I also tried adding the headers to my header.php file that I have included in all of my .php files in my website, yet the headers are sent not being sent or shown in the network tab.

Here is my code:

.htaccess file:

RewriteEngine  on
RewriteCond %{REQUEST_FILENAME}.php -f
RewriteCond %{REQUEST_URI} !^/\.well-known/cpanel-dcv/[0-9a-zA-Z_-] $
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/(?:\ Ballot169)?
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule !.*\.php$ %{REQUEST_FILENAME}.php [QSA,L]


RewriteEngine On
RewriteCond %{HTTPS} off
RewriteCond %{REQUEST_URI} !^/\.well-known/cpanel-dcv/[0-9a-zA-Z_-] $
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/(?:\ Ballot169)?
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteCond %{SERVER_PORT} 80

    


RewriteRule (.*) https://%{SERVER_NAME}/$1 [R,L]
Options -Indexes
    Header set X-XSS-Protection "1; mode=block"
    Header append X-Frame-Options: "SAMEORIGIN"
    Header set X-Content-Type-Options nosniff
    
# BEGIN cPanel-generated php ini directives, do not edit
# Manual editing of this file may result in unexpected behavior.
# To make changes to this file, use the cPanel MultiPHP INI Editor (Home >> Software >> MultiPHP INI Editor)
# For more information, read our documentation (https://go.cpanel.net/EA4ModifyINI)
<IfModule php7_module>
   php_flag display_errors Off
   php_value max_execution_time 60
   php_value max_input_time 60
   php_value max_input_vars 1000
   php_value memory_limit 256M
   php_value post_max_size 32M
   php_value session.gc_maxlifetime 1440
   php_value session.save_path "/var/cpanel/php/sessions/ea-php70"
   php_value upload_max_filesize 64M
   php_flag zlib.output_compression Off
</IfModule>
<IfModule lsapi_module>
   php_flag display_errors Off
   php_value max_execution_time 60
   php_value max_input_time 60
   php_value max_input_vars 1000
   php_value memory_limit 256M
   php_value post_max_size 32M
   php_value session.gc_maxlifetime 1440
   php_value session.save_path "/var/cpanel/php/sessions/ea-php70"
   php_value upload_max_filesize 64M
   php_flag zlib.output_compression Off
</IfModule>
# END cPanel-generated php ini directives, do not edit

### If mod_rewrite is true...
<IfModule mod_rewrite.c>
    Header set X-XSS-Protection "1; mode=block"
    Header always append X-Frame-Options SAMEORIGIN
    Header set X-Content-Type-Options nosniff
### Prevent Apache from showing its server signature...
ServerSignature off
### Prevent phpinfo from showing details...
RewriteCond %{QUERY_STRING} =PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC] 
RewriteRule .* - [F]

</IfModule>

# X-XSS-Protection
<IfModule mod_headers.c>
    Header set X-XSS-Protection "1; mode=block"
    Header always append X-Frame-Options SAMEORIGIN
    Header set X-Content-Type-Options nosniff
</IfModule>

# php -- BEGIN cPanel-generated handler, do not edit
# Set the “ea-php70” package as the default “PHP” programming language.
<IfModule mime_module>
  AddHandler application/x-httpd-ea-php70 .php .php7 .phtml
</IfModule>
# php -- END cPanel-generated handler, do not edit

header.php file:

<?php
 // I included these headers at the top of my header.php file that is included everywhere in my website files.
 header("X-XSS-Protection: 1; mode=block");
 header("X-Frame-Options: SAMEORIGIN");
?>

CodePudding user response:

I found the issue to be that headers are already being sent error, and the fix for that was to remove the white space before the opening of the php tag in the beginning of my file.

previous code causing the error:

 <?php
   //my code
 ?>

removing the whitespace solved the issue:

<?php
       //my code
     ?>
  • Related