.htaccess Free

Apache Security Headers Snippet

A more practical security header baseline for bespoke sites. Includes strict transport guidance, clickjacking protection, content sniffing protection and a commented CSP starter you can tune later.

1 min read 14 lines Intermediate Updated: March 2026

Use case

Response hardening

Best for

PHP websites, service businesses, brochure sites, admin portals

Drop-in level

Test carefully before production

Stack / dependencies

Apache .htaccess mod_headers

Compatibility

Apache hosting Shared hosting with mod_headers enabled

Code snippet

Full version with formatting intact. Use “Copy stripped version” when you want a leaner base.

<IfModule mod_headers.c>
  Header always set X-Frame-Options "SAMEORIGIN"
  Header always set X-Content-Type-Options "nosniff"
  Header always set Referrer-Policy "strict-origin-when-cross-origin"
  Header always set Permissions-Policy "geolocation=(), microphone=(), camera=(), payment=()"
  Header always set Cross-Origin-Opener-Policy "same-origin"
  Header always set Cross-Origin-Resource-Policy "same-site"

  # Enable only once your site is fully HTTPS and staying HTTPS
  # Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

  # Starter CSP - tune to your own assets before enabling
  # Header set Content-Security-Policy "default-src 'self'; img-src 'self' data: https:; script-src 'self' https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;"
</IfModule>

Security notes

Test Content Security Policy carefully on staging before enabling it site-wide.
Only enable HSTS once the entire site is available over HTTPS and will remain that way.
Some older header guides still include outdated or low-value directives, so stay intentional.

Related snippets

View all

PHP Free

PHP Login Rate Limiter (Session Based)

A slightly more production-shaped login limiter that blocks repeated attempts over a lock window, returns consistent responses and gives you a cleaner place to evolve later into database or IP-backed rate limiting.

PHP Free

Secure PHP Contact Form Handler

A more real-world contact form endpoint for bespoke PHP builds. Includes request method enforcement, CSRF validation, anti-bot checks, sane input validation, response helpers and a clean place to wire PHPMailer or your preferred provider.

PHP Free

PDO Bootstrap (db.php pattern)

A stronger db bootstrap for bespoke PHP apps. Uses static reuse, utf8mb4, disabled emulated prepares, clear exception handling and small helper structure that fits shared hosting as well as more advanced setups.

← Back to all snippets

Stack / dependencies

Compatibility

Code snippet

Security notes

Tags

Related snippets

PHP Login Rate Limiter (Session Based)

Secure PHP Contact Form Handler

PDO Bootstrap (db.php pattern)

Cookie preferences