Setting headers with an .htaccess file

HTTP headers are part of an HTTP request and response. They define the operating parameters of an HTTP transaction. View the following link for further details.

• List of HTTP header fields

You can use an .htaccess file to adjust or add headers to your HTTP response headers.

View the following article for instructions on how to create an .htaccess file on your web server:

• Creating an .htaccess file on your DreamHost web server

If the file already exists, view the following articles for instructions on how to update it (depending on if you're using an FTP client or SSH):

• Creating and editing a file via FTP
• Creating and editing a file via SSH

If you notice the headers you have added to your .htaccess file are not functioning properly with PHP files, check to see if your site is running in PHP CGI mode.

• How do I change the PHP version of my site?

These directions explain how to view and change the PHP version of your site. When changing the version, you have the options of:

• CGI
• FastCGI

If your site is already using CGI, try setting it to FastCGI instead. This should resolve your header issues for PHP files.

Use either one of the following in an .htaccess file to force the specific content-type header. A charset header specifies the character encoding of the document. This adds the header without having to use a meta tag:

AddDefaultCharset UTF-8   
AddDefaultCharset ISO-8859-1

Use the following in an .htaccess file to specify a language header. This adds the header without having to use a meta tag:

DefaultLanguage en-us

One of the most common headers to add to a page is Cache-Control. This defines the amount of time a file should be cached.

For example, if the Cache-Control header is set to 5 minutes, a browser will download the file and cache it for five minutes. After 5 minutes has expired, the file will have to be retrieved again from the server.

Example

This example allows any visitor to cache the page for 5 minutes.

Header set Cache-Control "max-age=300, public"

Syntax

max-age is set in seconds.

The caching directive is next. It can be 'public', 'private', or 'no-store'. Most often, you want to keep this as 'public' so it applies to all visitors.

View the following link from Google that explains in detail how to use the 'Vary' header for a mobile site:

• The Vary HTTP Header

Content-Security-Policy

The Content-Security-Policy header helps reduce XSS risks. View the following page for further details:

• https://content-security-policy.com/

Strict-Transport-Security (HSTS)

Tells browsers to ONLY interact with the site using HTTPS and never HTTP. View the following pages for further details.

• https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
• https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet

You can enable this in your .htaccess file with the following code:

Header add Strict-Transport-Security "max-age=31536000;includeSubDomains;"

You can then test if it's active by running the following curl command:

[server]$ curl -I https://example.com
HTTP/1.1 200 OK
Date: Tue, 05 Jun 2018 20:05:52 GMT
Server: Apache
Last-Modified: Tue, 05 Jun 2018 16:26:52 GMT
ETag: "2f9-56de78493cbc8"
Accept-Ranges: bytes
Content-Length: 761
Strict-Transport-Security: max-age=31415926;includeSubDomains;
Content-Type: text/html

You should see the 'Strict-Transport-Security' header in the response.

hsts preload and Cloudflare

Chrome offers you the option to add your domain to their HSTS preload list.

• https://hstspreload.org

If you have enabled Cloudflare in the DreamHost panel, it forces you to add the 'www' subdomain as shown in this articles.

• How do I add or remove www from my domain?
• How to enable Cloudflare on your domain

Adding the 'www' subdomain in the panel will cause the HSTS preload check to fail with the following message.

`http://example.com` (HTTP) should immediately redirect to `https://example.com`
(HTTPS) before adding the www subdomain. Right now, the first redirect is to 
`http://www.example.com/`. The extra redirect is required to ensure that any 
browser which supports HSTS will record the HSTS entry for the top level domain,
not just the subdomain.

If you wish to use Cloudflare and add your domain to the HSTS preload list, you must purchase a Cloudflare account directly from Cloudflare. This will allow you the option to remove the 'www' subdomain.

Cross Origin Resource Sharing (CORS) allows restricted resources on a website to be requested from another domain outside the domain from which it was originally served. View the following pages for further details.

• https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
• https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet

Adding the following to your .htaccess file will enable CORS.

Make sure to specify the 'Content-Type'. View the following two links for examples:

• Access-Control-Allow-Headers
• CORS Tutorial: A Guide to Cross-Origin Resource Sharing

Header add Access-Control-Allow-Origin: "*"
Header add Access-Control-Allow-Methods: "GET,POST,OPTIONS,DELETE,PUT"
Header add Access-Control-Allow-Headers: "Content-Type"

You can then test if it's active on a site such as this:

• gf.dev/http-headers-test

You can also use curl to test. Just substitute example.com with your website.

[server]$ curl -H "Origin: http://example.com" \
  -H "Access-Control-Request-Method: POST" \
  -H "Access-Control-Request-Headers: X-Requested-With" \
  -X OPTIONS --verbose \
  https://www.googleapis.com/discovery/v1/apis?fields=

This header helps to protect your visitors against clickjacking attacks. You should add this header on pages that shouldn't be allowed to render a page within a frame.

# X-Frame-Options
<IfModule mod_headers.c>
Header always append X-Frame-Options SAMEORIGIN
</IfModule>

This header helps to protect your visitors against Cross-site Scripting attacks. View the following article for further details:

• developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection

# X-XSS-Protection
<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
</IfModule>

This header blocks content sniffing that could transform non-executable MIME types into executable MIME types. View the following article for further details:

• developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options

This header specifies approved sources of content the browser is allowed to load. The example below tells the browser to only load content originating from the specified website over HTTPS.

If you're going to force the HTTPS rule, make sure you're already added an SSL certificate and are forcing all connections to use it.

• Adding an SSL certificate overview
• How to force your site to redirect to https (SSL)

View the following article for further details:

• developer.mozilla.org/en-US/docs/Web/HTTP/CSP

Header set Content-Security-Policy "default-src https://example.com:443"