Setting headers with an .htaccess file

Creating an .htaccess file on your DreamHost web server

View the following article for instructions on how to create an .htaccess file on your web server:

• Creating an .htaccess file on your DreamHost web server

If the file already exists, view the following articles for instructions on how to update it (depending on if you're using an FTP client or SSH):

• Creating and editing a file using Filezilla
• Creating and editing a file via SSH

What are http headers?

HTTP headers are part of an HTTP request and response. They define the operating parameters of an HTTP transaction. View the following link for further details.

• List of HTTP header fields

You can use an .htaccess file to adjust or add headers to your HTTP response headers.

Adding a content-type=UTF-8 header

Use either one of the following in an .htaccess file to force the specific content-type header. A charset header specifies the character encoding of the document. This adds the header without having to use a meta tag:

AddDefaultCharset UTF-8   
AddDefaultCharset ISO-8859-1

Adding a language header

Use the following in an .htaccess file to specify a language header. This adds the header without having to use a meta tag:

DefaultLanguage en-us

Cache-Control headers

One of the most common headers to add to a page is Cache-Control. This defines the amount of time a file should be cached.

For example, if the Cache-Control header is set to 5 minutes, a browser will download the file and cache it for five minutes. After 5 minutes has expired, the file will have to be retrieved again from the server.

Example

This example allows any visitor to cache the page for 5 minutes.

Header set Cache-Control "max-age=300, public"

Syntax

max-age is set in seconds.

The caching directive is next. It can be 'public', 'private', or 'no-store'. Most often, you want to keep this as 'public' so it applies to all visitors.

Using the 'Vary' HTTP header for mobile sites

View the following link from Google that explains in detail how to use the 'Vary' header for a mobile site:

• The Vary HTTP Header

Security

Content-Security-Policy

The Content-Security-Policy header helps reduce XSS risks. View the following page for further details:

• https://content-security-policy.com/

Strict-Transport-Security

Tells browsers to ONLY interact with the site using HTTPS and never HTTP. View the following pages for further details.

• https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
• https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet

Enabling CORS

Cross Origin Resource Sharing (CORS) allows restricted resources on a website to be requested from another domain outside the domain from which it was originally served. View the following pages for further details.

• https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
• https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet

See also

• .htaccess overview
• What can I do with an .htaccess file?