Another measure you can adopt to bolster the security of your Website involves leveraging HTTP security headers. These headers are generally configured at the web server level and dictate how browsers should handle your site's content. While there are various HTTP security headers available, the following are typically the most significant:
X-Frame-Options (provides clickjacking protection by not allowing iframes to load on your website)
X-XSS-Protection (enable the cross-site scripting (XSS) filter)
X-Content-Type-options (prevents Internet Explorer and Google Chrome from sniffing a response away from the declared Content-Type)
Strict-Transport-Security (ensures the connection cannot be establish through an insecure HTTP connection)
Content-Security Policy (defines content sources which are approved)
If you're interested in delving deeper into HTTP security headers, KeyCDN has a comprehensive post that provides further insights.
You can assess the active headers on your Website site by launching Chrome devtools and examining the headers in the initial response from your site. You can also scan your Website using this tool: https://securityheaders.com/
Setup
Scan your Website actual Security Headers: Go to https://securityheaders.com/ and type your Website domain. If you get an A+ grade, you're good to go. You're already secure!
If You Get an A or Lower... Keep reading for help.
Add Axtov recommended security header: Log in to Axtov control panel (or My Axtov then click on 'Login to Control Panel').
Click on 'Websites' then select your Website domain. Go to 'File' > 'public_html'. Open the .htaccess file and add this code at the top:
If you currently have security headers in your .htaccess file, please remove them before proceeding to prevent duplicate entries.
<IfModule mod_headers.c>
Header set X-Frame-Options SAMEORIGIN
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options "nosniff"
Header set X-Permitted-Cross-Domain-Policies "none"
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header set Content-Security-Policy "upgrade-insecure-requests"
Header set Referrer-Policy "no-referrer-when-downgrade"
Header set Permissions-Policy "accelerometer=(), autoplay=(self), camera=(), cross-origin-isolated=(), display-capture=(), encrypted-media=(self), fullscreen=(self), geolocation=(self), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(self), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(self), usb=(), xr-spatial-tracking=()"
Header always unset X-Powered-By
Header unset X-Powered-By
</IfModule>Re-scan your website using this tool: https://securityheaders.com/ and enter your website's domain. You should now receive an A+ rating.
Voilà ! Your website will enjoy enhanced safety through these security headers.
Explanation of the rules recommended by Axtov
Header set X-Frame-Options SAMEORIGINHeader set X-XSS-Protection "1; mode=block"Header set X-Content-Type-Options "nosniff"