HTTP security headers are your first line of defence against a wide range of digital threats. They instruct browsers on how to behave, preventing common attacks such as clickjacking, cross-site scripting (XSS) and man-in-the-middle attacks. While server-level configuration offers robust control, for many website owners on shared hosting, editing the .htaccess file provides an excellent solution.

Why .htaccess is Your Security Ally

The .htaccess file is a simple text file sitting in your website's root directory. It allows you to modify security headers without needing root access to the server. For those using shared hosting, this is an essential tool for hardening defences quickly and with minimal fuss.

<IfModule mod_headers.c>
    Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
    Header set X-Frame-Options "SAMEORIGIN"
    Header set X-Content-Type-Options "nosniff"
    Header set X-XSS-Protection "1; mode=block"
    Header set Referrer-Policy "strict-origin-when-cross-origin"
    Header set Permissions-Policy "geolocation=(), microphone=()"
</IfModule>

Breaking it Down

• Strict-Transport-Security (HSTS): Forces browsers to use HTTPS, preventing protocol downgrade attacks.
• X-Frame-Options: Prevents clickjacking by controlling whether your site can be embedded in an iframe.
• X-Content-Type-Options: Prevents MIME sniffing, which can lead to security vulnerabilities.
• X-XSS-Protection: Enables the browser's built-in XSS filter.
• Referrer-Policy: Controls how much referrer information is shared with other sites.
• Permissions-Policy: Restricts unauthorised browser API usage like camera or microphone access.

The Bigger Picture

While .htaccess is convenient, server-level configuration (in httpd.conf or nginx.conf) offers better performance as the server processes these rules only once at startup. However, if you lack administrator access, .htaccess remains the most practical and effective way to secure your site.