[.htaccess] En-têtes de sécurité
Les en-têtes de sécurité à mettre dans le fichier .htaccess à la racine de son site web. Certaines règles sont à personnaliser en fonction des cas.
L’outil d’analyse Dareboost peut aider à comprendre comment et pourquoi mettre en place tout ça. J’ai découvert une bonne partie de ces paramètres grâce à lui.
Langage du code ci-dessous : Apache
<IfModule mod_headers.c>
# Disable automatic resource type detection
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
Header always set X-Content-Type-Options "nosniff"
# Block all content when an XSS attack is suspected
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
Header always set X-XSS-Protection "1; mode=block"
# Block frame rendering for the website - Prevent "clickjacking" attacks
# SAMEORIGIN value to allow WordPress and plugins updates
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
Header always set X-FRAME-OPTIONS "SAMEORIGIN"
# The server should not be able to communicate in HTTP when it has an HTTPS connection - Prevent "man in the middle" attacks
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
# Max age = 1 year
# Read this doc before: https://blog.dareboost.com/fr/2017/09/hsts-fiabiliser-connexions-securisees/
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains;"
# Security policy on the source of resources (CSP) - Prevent XSS attacks
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
# This code is to customize. Here, no external resource and no inline style or script are allowed. Be careful by using this. Test it carefully!
Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; base-uri 'self';"
</IfModule>