Replicating Managed Transform HTTP Headers for :grey: Records on Apache

I’m using Managed Transforms > HTTP response headers.

But I have DNS records that are :grey: for certain purposes. I want to replicate these headers for them on my origin. I’m on the Apache server. I know my question may not be strictly related to Cloudflare but there is probably someone here who has done this before. These are the headers I was able to form:

Header set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options nosniff
Header set X-Frame-Options SAMEORIGIN
Header set Referrer-Policy same-origin
  1. Apache creates 2 VirtualHosts for each domain, one with port 80 and the other with port 443). I want to know if any of these headers are forbidden in either 80 or 443 port vhosts. In other words, can and should I put them in both?
  2. Some people suggest adding the always condition to headers.
  3. Instead of using set, append can be used for some of the headers, like X-Frame-Options SAMEORIGIN.
  4. Is my syntax correct for the listed headers?

I need clarification on each of these things. I conducted a thorough search online without finding a good conversation on this topic.

I’m using Managed Transforms > HTTP response headers.

But I have DNS records that are :grey: for certain purposes. I want to replicate these headers for them on my origin. I’m on the Apache server. I know my question may not be strictly related to Cloudflare but there is probably someone here who has done this before. These are the headers I was able to form:

Header set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options nosniff
Header set X-Frame-Options SAMEORIGIN
Header set Referrer-Policy same-origin
  1. Apache creates 2 VirtualHosts for each domain, one with port 80 and the other with port 443). I want to know if any of these headers are forbidden in either 80 or 443 port vhosts. In other words, can and should I put them in both?
  2. Some people suggest adding the always condition to headers.
  3. Instead of using set, append can be used for some of the headers, like X-Frame-Options SAMEORIGIN.
  4. Is my syntax correct for the listed headers?

I need clarification on each of these things. I conducted a thorough search online without finding a good conversation on this topic.

I would recommend using a site like server overflow for questions related to Apache.
From memory,

From memory

Should do it for both 80/443, (hopefully your 80 is a redirect to 443).

Should include the always.

append can cause issues with your application is sending the header. If it is then, you shouldn’t set the header in apache.

Depends on what you are trying to achieve. If you are asking if the syntax is valid, then you can always add it and test the config before restarting apache.

1 Like

Thank you so much for taking the time! I tried on the Stack network but they always complain about how your question is unrelated to the community you posted to and they rarely answer.

Yes, it is redirected and this is mostly why I asked because I’m not sure if the headers are considered before the redirection occurs. I presume it may not be important for some headers like X-Frame but can be for the HSTS. I don’t know, I’m just guessing.

Didn’t quite catch the message. Should I use set and if it’s causing issues, change it to append?

I’m trying to use some sensible (useful) headers for security reasons. So I compiled the before-mentioned list. Anyone can feel free to add to it or edit it.

Yeah probably don’t need them on the port 80 one then.

Yeah. I would do set first.

This also depends on the application that is behind Apache, but typically these headers shouldn’t interfere.

1 Like

Header directives are allowed in the .htaccess file and .htaccess affects all ports. This may answer the question of allowing/forbidding placement of headers in certain ports’ VirtualHosts.

What about the HSTS header? Is it considered before the redirection occurs? If it is, you are exposed (for example, MITM attacks) if you don’t use it on both 80 and 443 ports, right?

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.