sales@irexta.com

HTTP Security Headers: The Ultimate Server Hardening Guide

Move from "Grade F" to "Grade A+" Security using the Big 6 Headers (HSTS, CSP, Permissions) without breaking your website.

Why Your Server is Likely "Grade F" Secure

If you deploy a standard Nginx or Apache server today, it is insecure by default. While your firewall might be strong, your browser communication is wide open.

Hackers exploit this using MIME Sniffing, Clickjacking, XSS, or even hijacking your user's Microphone and Camera APIs.

In this guide, we won't just add one header. We will implement the "Big 6" Security Headers to take your iRexta Dedicated Server from a failing grade to an A+ Security Score on tools like SecurityHeaders.com.

The "Big 6" Headers You Must Implement

Before we paste the code, understand what protects you:

  • 1. Strict-Transport-Security (HSTS): Forces browsers to only use HTTPS. It kills "SSL Stripping" attacks instantly.
  • 2. X-Content-Type-Options: Sets to nosniff. Prevents the browser from "guessing" file types.
  • 3. X-Frame-Options: Sets to SAMEORIGIN. Prevents Clickjacking.
  • 4. Referrer-Policy: Preserves user privacy when clicking links.
  • 5. Permissions-Policy: (New!) Explicitly disables access to sensitive APIs like Camera, Microphone, and Geolocation unless needed.
  • 6. Content-Security-Policy (CSP): The ultimate shield against XSS attacks.

⚠️ The "Silent Failure" Trap

Many tutorials tell you to enable Content-Security-Policy-Report-Only but forget to tell you where to send the reports. Without a destination, you won't know if your site is breaking!

The iRexta Fix: We include the critical report-uri directive. You should point this to a logging endpoint (or a free service like Report-URI.com) to see exactly what is being blocked before you enforce the rules.

Method 1: Configuration for Nginx

iRexta's high-performance hardware processes these headers in milliseconds. Add this block to your nginx.conf inside the server block:

# 1. HSTS (Force HTTPS for 1 year)
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# 2. Anti-Sniffing
add_header X-Content-Type-Options "nosniff" always;
# 3. Anti-Clickjacking
add_header X-Frame-Options "SAMEORIGIN" always;
# 4. Privacy Protection
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
# 5. Permissions Policy (Block Camera/Mic/Location)
add_header Permissions-Policy "geolocation=(), microphone=(), camera=(), payment=()" always;
# 6. CSP "Universal Starter Kit" (Report Only Mode)
# Allows Google Fonts, Analytics, and Self. Sends logs to your report-uri.
add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' https://www.google-analytics.com https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data:; report-uri https://your-endpoint.report-uri.com/r/d/csp/enforce;" always;

Note: Replace the report-uri URL with your actual logging endpoint. Restart Nginx: systemctl restart nginx

Method 2: Configuration for Apache (.htaccess)

If you are using cPanel or a LAMP stack, add this to the top of your .htaccess file:

<IfModule mod_headers.c> Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" Header always set X-Content-Type-Options "nosniff" Header always set X-Frame-Options "SAMEORIGIN" Header always set Referrer-Policy "strict-origin-when-cross-origin" Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()" # Universal CSP (Safe for Google Fonts & Analytics) Header always set Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' https://www.google-analytics.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; report-uri https://your-endpoint.report-uri.com/r/d/csp/enforce;"
</IfModule>

Method 3: Configuration for Windows IIS

For Windows Dedicated Servers, paste this into your web.config inside <system.webServer>:

<httpProtocol> <customHeaders> <add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains; preload" /> <add name="X-Content-Type-Options" value="nosniff" /> <add name="X-Frame-Options" value="SAMEORIGIN" /> <add name="Referrer-Policy" value="strict-origin-when-cross-origin" /> <add name="Permissions-Policy" value="geolocation=(), microphone=(), camera=()" /> <add name="Content-Security-Policy-Report-Only" value="default-src 'self'; script-src 'self' https://www.google-analytics.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; report-uri https://your-endpoint.report-uri.com/r/d/csp/enforce;" /> </customHeaders>
</httpProtocol>

Step 4: Verify Your "A+" Grade

Now that you have configured the Big 6 headers, it is time to test your score.

  1. Visit SecurityHeaders.com.
  2. Enter your website URL and click Scan.
  3. You should see your score jump from F to A+.

Pro Check (CLI): You can also verify headers directly from your server terminal:
curl -I https://your-domain.com

Final Step: Enforcing CSP

Once you have run your site in "Report-Only" mode for a week and checked your report-uri logs to ensure no legitimate assets (like new Analytics scripts or Chat widgets) are being blocked:

  • Go back to your config file.
  • Change Content-Security-Policy-Report-Only to just Content-Security-Policy.

Now your shield is fully active. Any unauthorized script injection attempts will be blocked by the browser instantly.

Conclusion

Achieving an A+ Security Grade isn't just about vanity; it's about layering defenses. Even if your application has a vulnerability, these headers can prevent the browser from executing the attack.

At iRexta, we believe security should be standard, not an upgrade. That's why we provide full Root Access on all our Bare Metal Servers, giving you the power to implement these enterprise-grade configurations.

Ready to secure your infrastructure? Deploy an iRexta Dedicated Server today.