Static website security

There are basically two options: you can do it in .htaccess, but you need a support for mod_headers. If your hosting doesn't offer that, you need to serve the static page by a PHP script.

I used a customized Neil White's .htaccess file:

1. # X-Frame-Options to prevent clickjacking Header always append X-Frame-Options SAMEORIGIN # Apply a CSP to all HTML and PHP files <FilesMatch "\.(html|php)$"> Header set Content-Security-Policy "default-src 'self'; style-src 'unsafe-inline'; object-src 'none'" </FilesMatch> # Block pages from loading when they detect reflected XSS attacks Header always append X-XSS-Protection "1; mode=block" # Prevent browsers from incorrectly detecting non-scripts as scripts Header always append X-Content-Type-Options: nosniff # Only connect to this site via HTTPS for the two years Header always append Strict-Transport-Security: max-age=86400

You may need to fiddle with it a bit, my webhosting was already sending STS header, so I didn't use that one.

• security

CORS and CSP

In recent years browser manufacturers added an additional security checks for third party content, in a form of headers or META tags.

CORS (Cross-Origin Resource Sharing) is telling the browser it can read data even if it's in different origin. You can get around it using a CORS Proxy.

CSP (Content Security Policy) battles XSS (cross site scripting) and packet sniffing attacks, and exists in three versions. The first requires to specify a white-list of allowed sources in Content-Security-Policy header, which often led to enabling all of them for convenience. The second introduced a nonce, and the third is the best, but not yet widely supported.

• ⮤ Newer post
• todo
• security